Fingerprinting Swift Code Using Spacecrypt
Spacecrypt works by converting your private message into binary data, and then converting that binary data into zero-width characters (which can then be hidden in your public message). These characters are used:
- Unicode Character 'WORD JOINER' (U+2060)
- Unicode Character 'ZERO WIDTH SPACE' (U+200B)
- Unicode Character 'ZERO WIDTH NON-JOINER' (U+200C)
It appears that these hidden payloads can work their way into code, not just data (such as the string shown above.)
[…]
I think this poses some serious issues, not just for Stack Overflow, but for the languages which are discussed on this Q&A site. Hidden characters in code make effective code review much more difficult. In the example above, a quick review of the code would lead someone to believe that
foo * barwould be11111111, not the actual value of12345678987654321. This would be an easy way for someone to hide a security vulnerability in plain sight.It’s also very difficult to see these hidden characters at the point-of-origin: They don’t appear at all in Safari’s Web Inspector and in Chrome the HTML entities blend right in with the other HTML and CSS for this site.
Update (2018-01-05): Craig Hockenberry:
And before you say, “just ban zero width joiners and combining characters”, remember that Emoji uses both extensively.
2 Comments RSS · Twitter
That's why there is discussions about changing the accepted charsets for operators and symbols in Swift.
https://lists.swift.org/pipermail/swift-evolution/Week-of-Mon-20170925/040009.html
