Thursday, January 4, 2018 [Tweets] [Favorites]

Fingerprinting Swift Code Using Spacecrypt


Spacecrypt works by converting your private message into binary data, and then converting that binary data into zero-width characters (which can then be hidden in your public message). These characters are used:

  • Unicode Character 'WORD JOINER' (U+2060)
  • Unicode Character 'ZERO WIDTH SPACE' (U+200B)
  • Unicode Character 'ZERO WIDTH NON-JOINER' (U+200C)

Craig Hockenberry (tweet):

It appears that these hidden payloads can work their way into code, not just data (such as the string shown above.)


I think this poses some serious issues, not just for Stack Overflow, but for the languages which are discussed on this Q&A site. Hidden characters in code make effective code review much more difficult. In the example above, a quick review of the code would lead someone to believe that foo * bar would be 11111111, not the actual value of 12345678987654321. This would be an easy way for someone to hide a security vulnerability in plain sight.

It’s also very difficult to see these hidden characters at the point-of-origin: They don’t appear at all in Safari’s Web Inspector and in Chrome the HTML entities blend right in with the other HTML and CSS for this site.

Update (2018-01-05): Craig Hockenberry:

And before you say, “just ban zero width joiners and combining characters”, remember that Emoji uses both extensively.


That's why there is discussions about changing the accepted charsets for operators and symbols in Swift.

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment