- The researcher finds a way to add invisible text to emojis
- You probably can’t be used for malware … probably
- It could be used for the water mark or avoid human moderation
A security researcher claims to have discovered a way to hide additional information within emoji.
Paul Butler explained how he experimented with Unicode and occurred to him a method that exploits variation selectors (special characters designed to modify the appearance of the text but do not have a visible effect on most characters). By chaining the selectors, he was able to encode invisible messages within an emoji (or any other unicode character).
This is how it works: Unicode assigns variation selectors (U+Fe00 – U+Fe0f and U+E0100 – U+E01EF) to certain characters, usually to adjust the stylistic presentation. However, these selectors can be used to store a data byte each. Since a sequence of these selectors is preserved even when the text of the copy of the copy, a person could embed a secret message within an emoji without altering their visible appearance.
Smuggling data
It seems that the method cannot be used to smuggle malware or malicious code, an extension of the application or anything. However, it could be used to avoid human moderation or water -sensitive documents. With these invisible water brands, an author could track his work that was copied and attached to the Internet, for example.
Discussing possible defensive measures, Butler said that AI could be useful. While some AI models, such as GPT of Openai and Gemini of Google, preserve the variation selectors, do not try to naturally decode hidden messages.
However, when combined with code interpreters, IA systems have successfully extracted secret messages in seconds. This suggests that automated detection tools could be developed to counteract possible abuse.
After all, this could be seen as an interesting peculiarity of Unicode. At this time, someone can develop a malicious use for it.
