Star leaky app of the week: StarDict – Source: go.theregister.com

As Trixie gets ready to début, a little-known app is hogging the limelight: StarDict, which sends whatever text you select, unencrypted, to servers in China.

A discussion on the oss-security mailing list on OpenWall highlights an interesting feature of an apparently innocuous dictionary app that’s included in Debian: StarDict, a Gtk app that looks up text and displays the definition in a tooltip. The alarm was raised by Vincent Lefèvre from INRIA in an email titled StarDict sends the user’s X11 selection to the network:

Debian developer Maytham Alsudany responded that this isn’t a bug:

He’s right, which leaves us honestly unsure how to categorize this behavior: it’s not a bug exactly, nor an exploit, although it’s definitely a vulnerability by most definitions. Even if the app is just doing what it says on the tin, Lefèvre responded: “Such a feature should have never been enabled by default,” and has now filed bug #1110370.

StarDict has been around for decades: it has its own Wikipedia entry, which documents development going back to 2003. This particular misfeature isn’t new: an older version of the same app was already flagged as CVE-2009-2260 way back in 2009.

What StarDict does is certainly useful. For comparison, Apple macOS has a similar function built in – it’s called Look up, and in any native Mac app, you can select a word, right-click and pick Look up to get a definition. The difference is that macOS has a built-in Dictionary app so the Look up function doesn’t need the internet to work.

Linux has nothing like that, though, and if you look at the Debian package for StarDict, the online-dictionaries plug-in is one of its dependencies:

rec: stardict-plugin (= 3.0.7+git20220909+dfsg-6) International dictionary lookup program - common plugins  

(For clarity, rec is short for Recommended.)

• Firefox 136 finally brings the features that fans wanted
• Canonical dusts off TPM encryption for Ubuntu 25.10
• X’s new ‘encrypted’ XChat feature seems no more secure than the failure that came before it
• Governments can’t seem to stop asking for secret backdoors

Before you recoil in shock, though, consider for whom this is intended. It’s a Chinese tool, and although it can work numerous languages, it defaults to looking up definitions in Chinese. Standards of what sort of behavior is normal and totally unproblematic vary widely from country to country. Privacy standards vary more than many realize, and we can imagine that this sort of thing may seem quite innocuous to lots of people in China – and elsewhere in the world. We can imagine plenty of people thinking So, it sends whatever you select, but then a bare bank account number isn’t a great risk, is it?

We rather suspect that this is not acceptable to a great many of our readers, however. We suggest checking if the app is installed on your system, and if it is, removing it just in case.

If they weren’t smug enough already, Wayland users can relax: Wayland’s default policy of isolating applications from one another means that on Wayland-based systems, StarDict can’t see what you’ve selected. ®

Bootnote

Our thanks to Reg reader Sam L. for bringing this to our attention.