Earlier this week, software engineer Paul Butler published a blog post titled “Smuggling arbitrary data through an emoji.” In it, he showcased a tool he created to allow you to do this yourself and explained how and why the tool works.
Essentially, the exploit here boils down to a fundamental problem with Unicodeโ the ability to hide bytes of data within any Unicode character by simply not including that data within the render pipeline. Unicode includes a render command past which other data can be bundled but not rendered, and exploiting that effectively allows users to create hidden messages within Unicode characters.
Is this ability to bundle hidden messages inside Unicode characters a serious problem? Probably notโ while end users won’t see the secret messages, PCs will still see it fine, and putting executable code in there isn’t possible. However, Butler points out that this feature could still be abused to sneak data past human content filters (especially hidden links, etc.) or to subtly watermark text, potentially making it possible to track leaks or identify plagiarism more easily. Since this applies to all Unicode characters, a user could theoretically apply hidden messages or watermarks to every character on a web page.
Fortunately, sneaking in an executable, an image file, or an application extension isn’t possible. Still, hiding hidden text from human eyes could cause other issues, especially when the proper context is used.
While the title refers to “arbitrary data,” users can hide whatever they want within Unicode characters, though this seems limited to text. This is different from, say, “arbitrary code execution,” where security issues open a system to unintended, malicious code execution, typically by exploiting gaps present in legitimate software, including driver software.
So, don’t worryโ you’re pretty unlikely to have your system suddenly hijacked by a deadly virus hiding within the Unicode of a common emoji anytime soon. The likelihood of someone hiding data in Unicode messages sent to you is also so ridiculously slim that it becomes near impossible. However, we suppose the chances are never zeroโ particularly when we’re now alerting you and others to the possibility.
But no one would ever do something like that, right? ๐ค๓ ๓ ๓ ๓ ๓ ๓ ๓ ๓ ๓ ด๓ ๓ ๓ พ๓ ๓ ค๓ ๓ ๓ ๓ ๓ ๓ ข๓ ๓ ๓
