StarDict sends X11 clipboard to remote servers
12 days ago
- #Debian
- #privacy
- #security
- StarDict, a GPLv3-licensed cross-platform dictionary application, has a security issue where it sends user text selections over unencrypted HTTP to remote servers.
- The issue arises from the default-enabled 'scan' feature and the YouDao plugin, which contacts Chinese dictionary services dict.youdao.com and dict.cn.
- Debian's default configuration exacerbates the problem, as StarDict is designed to run in the background, continuously monitoring text selections.
- Wayland users are unaffected as it prevents applications from capturing text from others by default, breaking StarDict's scan feature.
- Debian maintainer Xiao Sheng Wen suggested disabling the features if unwanted, but critics argue privacy-invasive features should not be enabled by default.
- Previous similar issues were reported in 2009 and 2015, with fixes either temporary or incomplete, highlighting ongoing maintenance challenges.
- Debian's package popularity contest shows only 178 users with StarDict installed, down from ~1000 in 2009-2015, but the risk remains for sensitive data exposure.
- The incident underscores broader concerns about Linux security reputation and the balance between functionality and privacy in open-source maintenance.