Ethical Hacking News
A widely used dictionary app in Debian has been found to have a concerning feature that allows users to send their selected text to servers in China in plaintext, raising concerns about data protection and potential exploitation.
StarDict app allows users to send selected text to Chinese servers in plaintext, raising concerns about user privacy and security. The feature can be disabled in the settings, but it should not have been enabled by default. The app sends data to dict.youdao.com and dict.cn, which may lead to potential exploitation of user data. StarDict is not an isolated incident; similar functionality exists in macOS's native Dictionary app. The lack of equivalent Linux apps raises questions about the vetting process for open-source software dependencies. The discovery highlights the need for greater awareness and education about data protection and security concerns.
StarDict, a seemingly innocuous dictionary app included in Debian, has been found to have a concerning feature that raises questions about user privacy and security. The app, which has been around for decades, allows users to send their selected text to servers in China in plaintext, raising concerns about data protection and potential exploitation.
The discovery was made by Vincent Lefèvre from INRIA, who brought it to the attention of Maytham Alsudany, a Debian developer. Upon further investigation, Alsudany confirmed that this is indeed a feature of the app, which can be disabled in the settings. However, Lefèvre pointed out that such a feature should not have been enabled by default.
The StarDict app sends user-selected text to servers in China, including dict.youdao.com and dict.cn, both Chinese servers. While this may seem innocuous, it raises concerns about data protection and potential exploitation of user data. The fact that the app defaults to searching English-Chinese dictionaries adds another layer of complexity to the issue.
It's worth noting that StarDict is not the only Linux app with similar functionality. Apple macOS has a similar function built-in, which uses its native Dictionary app to look up definitions without relying on the internet. However, Linux has no such equivalent, and apps like StarDict fill this gap by using online dictionaries.
The discovery of this feature highlights the need for greater scrutiny of open-source software and its dependencies. The Debian package for StarDict includes an online-dictionaries plug-in as a dependency, which raises questions about the vetting process for packages.
Furthermore, the fact that such a feature is included in a widely used app like StarDict raises concerns about the standards of what sort of behavior is considered normal and acceptable. Standards of privacy and data protection vary significantly across countries, and this incident highlights the need for greater awareness and education about these issues.
In conclusion, the discovery of the StarDict vulnerability highlights the need for greater scrutiny of open-source software and its dependencies. It also underscores the importance of user awareness and education about data protection and security concerns.
Related Information:
https://www.ethicalhackingnews.com/articles/The-StarDict-Vulnerability-A-Global-Security-Concern-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/08/08/stardict_leaky_app_of_week/
Published: Fri Aug 8 11:11:44 2025 by llama3.2 3B Q4_K_M
