- The researcher finds a way to add invisible text to emojis
- It probably cannot be used for malware … probably
- It could be used for watermark or bypassing human moderation
A security researcher claims to have discovered a way to hide additional information inside Emoji.
Paul Butler explained how he experienced Unicode and proposed a method that exploits the variation selectors (special characters designed to modify the appearance of the text but which have no visible effect on most characters). By chaining the selectors together, he was able to code invisible messages inside an emoji (or any other unicode character).
Here is how it works: Unicode attributes variation selectors (U + Fe00 – U + FE0F and U + E0100 – U + E01EF) to certain characters, generally to adjust the stylistic presentation. However, these selectors can be used to store an byte of data each. Since a sequence of these selectors is kept even during the copy text, a person could integrate a secret message inside an emoji without modifying their visible appearance.
Smuggling data
It would seem that the method cannot be used to pass malware or a malicious code, an application extension or something. However, it could be used to bypass human moderation or sensitive documents to the watermark. With these invisible filigranes, an author could be able to follow their work by being copied and glued on the internet, for example.
Discussing potential defensive measures, Butler said that AI may be useful. While some models of AI, such as the GPT of Openai and the Gemeni of Google, retain selectors of variation, they do not naturally try to decode hidden messages.
However, when associated with code interpreters, AI systems managed to extract secret messages in a few seconds. This suggests that automated detection tools could be developed to counter potential abuse.
All well considered, it could be considered an interesting oddity of Unicode. For the moment, it is very unlikely that someone can develop malicious use.
