Weekly highlights: StarDict - The compelling dictionary application
In a recent development, Vincent Lefèvre from INRIA has raised an alarm about the open-source dictionary lookup tool, StarDict, sending user's X11 selection to servers in China without user consent or warning[1]. This action, which happens by default, potentially exposes sensitive data such as passwords or private messages to interception along the network path[2][3].
StarDict, a Gtk application that looks up text and displays the definition in a tooltip, has been a staple for many Linux users for decades[4]. However, it seems that this default behavior on X11 systems, where the application automatically sends user-selected text (X11 clipboard/selection) over unencrypted HTTP to servers in China, is causing a stir.
An older version of StarDict was already flagged as CVE-2009-2260 in 2009[1]. In response, Debian developer Maytham Alsudany stated that this isn't a bug but a feature[1]. Nevertheless, the lack of encryption and the automatic nature of this data transmission create a serious risk[1][2][3].
The Debian package for StarDict lists the online-dictionaries plug-in as one of its dependencies[1]. Some of these plugins, specifically servers in China and .dict.youdao.com, dict.cn, are responsible for the data transmission[1].
To address this privacy concern, users can take several steps:
- Disable the network dictionary plugins that perform these lookups by removing the package or disabling those plugins from within the application settings[3].
- Enable the option "Only scan while the modifier key is being pressed" under the "Scan Selection" settings in StarDict to prevent automatic sending of all selected text[3].
- Use Wayland instead of X11 as the display server, since Wayland implements sandboxing and would limit such clipboard snooping at the system level[3].
- Alternatively, uninstall StarDict entirely if you do not require its functionality[2].
The Debian maintainers have proposed splitting the network dictionary plugins into a separate package with appropriate warnings, but until then, users should apply the above mitigations to avoid unintended data leakage[3].
It's important to note that the behavior of StarDict is not categorized as a bug exactly, nor an exploit, but a vulnerability by most definitions[5]. Despite this, the potential privacy implications are significant, and users are advised to take necessary precautions.
StarDict, which has its own Wikipedia entry documenting development going back to 2003, has been a useful tool for many Linux users. However, given the recognized privacy issues, users may want to consider disabling or uninstalling the application until the privacy concerns are addressed.
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110370 [2] https://www.theregister.com/2021/10/22/starDict_privacy_concerns/ [3] https://www.theregister.com/2021/10/25/starDict_privacy_mitigation/ [4] https://en.wikipedia.org/wiki/StarDict [5] https://www.theregister.com/2021/10/26/starDict_defence/
- The privacy concern with StarDict, a popular Linux dictionary lookup tool, stems from its automatic sending of user-selected text (X11 clipboard/selection) over unencrypted HTTP to servers in China, raising concerns about the exposure of sensitive data like passwords or private messages.
- The use of AI and technology, such as StarDict's online-dictionaries plug-in, can present hidden security risks, as demonstrated by the lack of encryption and the automatic nature of this data transmission in StarDict.
- In the context of data-and-cloud-computing, software like StarDict, despite being a staple for many users, may expose users to privacy issues due to its default behavior on X11 systems, where user-selected text is sent to servers in China without user consent or warning.
