StarDict Plugins in Debian 13 Raise Privacy Concerns

Debian 13 is just days away from launch, and according to the developers, all known bugs have been fixed—so it’s ready to roll. So far, so good. But a recent discussion around the upcoming Trixie release has raised some red flags. Here’s what’s going on.

Vincent Lefevre, from France’s national institute for research in digital science and tech, has voiced serious concerns about a potential privacy issue tied to one of the apps included in the final Debian 13 release. The app in question? StarDict.

It’s totally normal if you’ve never heard of it—thankfully, the app isn’t all that popular. We’re talking about a dictionary lookup application that allows users to search for definitions, translations, and explanations of words using various dictionary databases.

It uses online servers as a backend, and its GTK-based UI sends your search queries to them. So far, that all sounds pretty normal—but here’s where things start to get concerning.

When used with certain plugins, it automatically sends user-selected text from any X11-based application over the internet to remote servers, without user consent or even a warning.

While the package itself is described simply as a multilingual dictionary app, it automatically pulls in a plugin package (stardict-plugin) via Debian’s Recommends mechanism. This plugin bundle includes network-based dictionary lookups that trigger on the system’s X11 selection—essentially, any text a user highlights.

Once triggered, StarDict sends the selected text in plaintext over HTTP to third-party servers in China, namely dict.youdao.com and dict.cn. And to make matters worse, these requests are made over unencrypted HTTP, making the data visible to anyone monitoring the network—whether on a local LAN or through a compromised router.

Let me break it down in simpler terms. Suppose you’re running an X session on Debian 13 and you marked some text—like your credit card number, username, password, or whatever—to paste it somewhere else. In that case, that info is already silently on its way to servers in China without you even realizing it.

Why? Because StarDict, with the stardict-plugin installed, automatically sends any text you select to those servers—and once again, it does so over plain, unencrypted HTTP.

Now, you might think you’re safe as long as you don’t install that plugin. I have news for you: it’s a dependency for the GTK frontend, which Debian 13 installs and enables by default. So even if you never asked for it, it’s already there, quietly doing its thing.

For example, to confirm what he said, Lefevre shows that when he selects “relation” in some application, a strace on stardict shows:

911565 write(16, "GET HTTP://dict.youdao.com/fsearch?q=relation HTTP/1.0\r\nUser-Agent: Mozilla/4.0(compatible;MSIE 5.00;Windows 98)\r\nAccept: */*\r\nHost: dict.youdao.com\r\nConnection: close\r\n\r\n", 171) = 171
911565 write(17, "GET HTTP://dict.cn/ws.php?utf8=true&q=relation HTTP/1.0\r\nUser-Agent: Mozilla/4.0(compatible;MSIE 5.00;Windows 98)\r\nAccept: */*\r\nHost: dict.cn\r\nConnection: close\r\n\r\n", 164) = 164Code language: JavaScript (javascript)

In a message to the Debian mailing list, Lefevre shares his concerns:

Be careful with StarDict! By default, when the application is running, it sends whatever the user selects (from other applications) to Chinese servers!

A comment from a Debian developer followed that—I’ll let you be the judge of that.

Yes, that’s a feature: it will lookup your selections in local and online dictionaries, and by default it searches English-Chinese dictionaries. You can disable it in the settings by enabling “Only scan while the modifier key is being pressed” under “Scan Selection”, or disable the network dictionary plugins (dict.cn and youdao.com).

If you use Wayland, application will be sandboxed by default, so it won’t be able to get selections from other apps anyway.

Lefevre’s expected response is more than reasonable:

Such a feature should have never been enabled by default.

Feature? Seriously? I’d love to meet the user who installs StarDict and immediately heads to the settings to turn off this so-called “feature”—or disables the plugin’s network access entirely.

I don’t know how to put it any more plainly: this is absolutely unacceptable. And when we’re talking about Debian—a project known for its commitment to open source, reliability, and user privacy—it’s honestly hard to wrap your head around how something like this made it through.

Things get even more confusing when you realize that just a few years ago, this exact issue was reported as a CVE vulnerability in Debian (CVE-2009-2260). But now, in Trixie, it’s being treated as a feature. Honestly, I’m not even sure what to say—this whole thing just doesn’t make any sense.

Finally, to wrap things up, it’s worth pointing out that this StarDict behavior can only happen in an X session. If you’re running Debian 13 with Wayland, then you’re safe, thanks to the protocol’s sandboxed design. And at this point, I guess folks who think Wayland is some kind of big tech conspiracy being forced on users without good reason might want to rethink that stance.

With Debian 13 just around the corner, my advice is simple: steer clear of StarDict. Yeah, it’s 2025, and using an old-school desktop app like that is pretty unusual—but still, you never know. If you care about your privacy, it’s best just to avoid it altogether.