StarDict sends X11 clipboard to remote servers

General
,
1

StarDict is a GPLv3-licensed cross-platform dictionary application. It includes dictionaries for a number of languages, and has a rich plugin ecosystem. It also has a glaring security problem: while running on X11, using Debian’s default configuration, it will send a user’s text selections over unencrypted HTTP to two remote servers.

StarDict on Wayland doesn’t have this problem, because Wayland prevents applications from being able to capture text from other applications by default. That does mean that it breaks StarDict’s scan feature, though.

Any user who did read the description of the package, and who knew what the YouDao plugin would do, might nevertheless expect the resulting communication to at least be encrypted. But the plugin actually reaches out to its backend servers — dict.youdao.com and dict.cn — over unsecured HTTP. So, not only are these servers sent any text the user selects, but anyone who can view traffic anywhere along its path can see the same thing.

1 Like
2

And now I have a perfect example of why wayland is more secure next time I encounter another x11 vs wayland security debate

4 Likes
3

Same here, now I am grateful to use Secureblue with Wayland only. It was a pain at the beginning, because I came from Fedora Workstation where everything “worked” and the pattern of use applications here was totally different (I never used a flatpak so…), and VSCodium flatpak (for example) gave me lot of troubles when configuring it with git, nodeJS…

After reading the post I am happy to see how all the time invested worth!

2 Likes