StarDict YouDao Plugin Privacy Vulnerability

A vulnerability in the YouDao plugin for StarDict, specifically in version 3.0.7+git20220909+dfsg-6 on Debian Trixie, allows the plugin to send users' X11 selections from other applications to dict.youdao.com and dict.cn servers over unencrypted HTTP. This behavior occurs by default and can lead to the exposure of confidential information, such as passwords.

Impact

Exploitation of this vulnerability results in unauthorized transmission of user-selected data to external servers, potentially including sensitive information.

Reproduction

To reproduce this vulnerability, install the StarDict application along with the YouDao plugin on a Debian Trixie system using the X11 display server. Once StarDict is running, select a word in any other application. StarDict will automatically send the selected word to the YouDao and dict.cn servers via HTTP. This can be verified by monitoring the network traffic or using a tool like 'strace' to observe the outgoing requests.

Remediation

Users can disable the YouDao plugin in the StarDict settings or manage plugins through the 'stardict-plugin' package. However, this vulnerability should not be present in the first place, as features with privacy implications ought to be disabled by default.