Weekly acclaimed app: StarDict
In the world of Linux, privacy concerns have arisen with the default dictionary application in Debian 13, StarDict. This popular Gtk app, which looks up text and displays the definition in a tooltip, sends the user's X11 selection from other applications to servers in China and Taiwan by default.
This behaviour is not categorised as a bug, exploit, or vulnerability but is generally considered a vulnerability by most definitions. Vincent Lefèvre, a renowned developer from INRIA, has raised an alarm about this issue, filing bug #1110370.
StarDict's network dictionary plugins, which are pre-installed and enabled by default in Debian 13's GTK frontend, automatically send selected text for lookup to Chinese dictionary servers such as dict.youdao.com and dict.cn. This occurs without user consent or explicit awareness, potentially including sensitive information like passwords or credit card numbers.
To address these concerns, users can choose to disable the network dictionary plugins in StarDict settings to prevent any network lookups from occurring. Alternatively, enabling the setting "Only scan while the modifier key is being pressed" under "Scan Selection" restricts sending selected text to when a specific key is held, reducing automatic leaks.
For those who find StarDict's behaviour unacceptable, removing the app from the system is another option. It's also worth noting that Wayland's default policy isolates applications from one another, preventing StarDict from seeing user selections on Wayland-based systems.
StarDict, although capable of working with various languages, defaults to Chinese definitions. An older version of StarDict was already flagged as CVE-2009-2260 in 2009. Despite being around for decades, StarDict has its own Wikipedia entry, documenting its development since 2003.
Interestingly, Apple macOS has a similar function built-in called "Look up," but Linux does not have a comparable built-in feature. On the other hand, Firefox 136 introduces desired features for its users, while Canonical reintroduces TPM encryption for Ubuntu 25.10.
It's important to note that governments continue to request secret backdoors, and privacy standards regarding StarDict's behaviour may be considered normal and unproblematic in certain countries. The new 'encrypted' XChat feature in X seems no more secure than its previous failure.
In summary, the privacy-leaking feature is standard in Debian 13’s packaging of StarDict and must be manually disabled to prevent sending clipboard data to Chinese servers by default. Users are advised to take necessary precautions to ensure their privacy when using this application.
- The behavior of StarDict's network dictionary plugins, which automatically send selected text for lookup to Chinese dictionary servers, raises security concerns, especially when sensitive information like passwords or credit card numbers might be involved.
- In light of privacy issues, users can take steps to secure their data, such as disabling the network dictionary plugins in StarDict settings, or enabling the setting "Only scan while the modifier key is being pressed" under "Scan Selection" to restrict sending selected text.
- Given the necessity of data privacy in technology, especially in software and data-and-cloud-computing, AI and other advanced technologies should be developed with privacy as a priority to protect user data from unauthorized access or leaks.
