Thursday, January 4, 2018

Fingerprinting Swift Code Using Spacecrypt


Spacecrypt works by converting your private message into binary data, and then converting that binary data into zero-width characters (which can then be hidden in your public message). These characters are used:

  • Unicode Character 'WORD JOINER' (U+2060)
  • Unicode Character 'ZERO WIDTH SPACE' (U+200B)
  • Unicode Character 'ZERO WIDTH NON-JOINER' (U+200C)

Craig Hockenberry (tweet):

It appears that these hidden payloads can work their way into code, not just data (such as the string shown above.)


I think this poses some serious issues, not just for Stack Overflow, but for the languages which are discussed on this Q&A site. Hidden characters in code make effective code review much more difficult. In the example above, a quick review of the code would lead someone to believe that foo * bar would be 11111111, not the actual value of 12345678987654321. This would be an easy way for someone to hide a security vulnerability in plain sight.

It’s also very difficult to see these hidden characters at the point-of-origin: They don’t appear at all in Safari’s Web Inspector and in Chrome the HTML entities blend right in with the other HTML and CSS for this site.

Update (2018-01-05): Craig Hockenberry:

And before you say, “just ban zero width joiners and combining characters”, remember that Emoji uses both extensively.

2 Comments RSS · Twitter

That's why there is discussions about changing the accepted charsets for operators and symbols in Swift.

Leave a Comment