news
StarDict Plugins in Debian 13 Raise Privacy Concerns
When used with certain plugins, it automatically sends user-selected text from any X11-based application over the internet to remote servers, without user consent or even a warning.
While the package itself is described simply as a multilingual dictionary app, it automatically pulls in a plugin package (stardict-plugin) via Debian’s Recommends mechanism. This plugin bundle includes network-based dictionary lookups that trigger on the system’s X11 selection—essentially, any text a user highlights.
Once triggered, StarDict sends the selected text in plaintext over HTTP to third-party servers in China, namely dict.youdao.com and dict.cn. And to make matters worse, these requests are made over unencrypted HTTP, making the data visible to anyone monitoring the network—whether on a local LAN or through a compromised router.