{"id":20072,"date":"2018-01-04T14:06:05","date_gmt":"2018-01-04T19:06:05","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=20072"},"modified":"2018-01-05T10:42:34","modified_gmt":"2018-01-05T15:42:34","slug":"fingerprinting-swift-code-using-spacecrypt","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2018\/01\/04\/fingerprinting-swift-code-using-spacecrypt\/","title":{"rendered":"Fingerprinting Swift Code Using Spacecrypt"},"content":{"rendered":"<p><a href=\"https:\/\/pug.sh\/spacecrypt\/\">Spacecrypt<\/a>:<\/p>\n<blockquote cite=\"https:\/\/pug.sh\/spacecrypt\/\"><p>Spacecrypt works by converting your private message into binary data, and then converting that binary data into zero-width characters (which can then be hidden in your public message). These characters are used:\n<\/p><ul>\n\t<li>Unicode Character 'WORD JOINER' (U+2060)<\/li>\n\t<li>Unicode Character 'ZERO WIDTH SPACE' (U+200B)<\/li>\n\t<li>Unicode Character 'ZERO WIDTH NON-JOINER' (U+200C)<\/li>\n<\/ul>\n<\/blockquote>\n\n<p><a href=\"https:\/\/meta.stackoverflow.com\/questions\/361390\/can-posts-to-stack-overflow-be-fingerprinted-using-hidden-unicode-characters\">Craig Hockenberry<\/a> (<a href=\"https:\/\/twitter.com\/chockenberry\/status\/948665533016064000\">tweet<\/a>):<\/p>\n<blockquote cite=\"https:\/\/meta.stackoverflow.com\/questions\/361390\/can-posts-to-stack-overflow-be-fingerprinted-using-hidden-unicode-characters\"><p>It appears that these hidden payloads can work their way into code, not just data (such as the string shown above.)<\/p>\n<p>[&#8230;]<\/p>\n<p>I think this poses some serious issues, not just for Stack Overflow, but for the languages which are discussed on this Q&amp;A site. Hidden characters in code make effective code review <em>much<\/em> more difficult. In the example above, a quick review of the code would lead someone to believe that <code>foo * bar<\/code> would be <code>11111111<\/code>, not the actual value of <code>12345678987654321<\/code>. This would be an easy way for someone to hide a security vulnerability <a href=\"https:\/\/nakedsecurity.sophos.com\/2014\/02\/24\/anatomy-of-a-goto-fail-apples-ssl-bug-explained-plus-an-unofficial-patch\/\">in plain sight<\/a>.<\/p>\n<p>It&rsquo;s also very difficult to see these hidden characters at the point-of-origin: They don&rsquo;t appear at all in Safari&rsquo;s Web Inspector and in Chrome the HTML entities blend right in with the other HTML and CSS for this site.<\/p><\/blockquote>\n\n<p>Update (2018-01-05): <a href=\"https:\/\/twitter.com\/chockenberry\/status\/949032701222313984\">Craig Hockenberry<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/chockenberry\/status\/949032701222313984\">\n<p>And before you say, &ldquo;just ban zero width joiners and combining characters&rdquo;, remember that Emoji uses both extensively.<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Spacecrypt: Spacecrypt works by converting your private message into binary data, and then converting that binary data into zero-width characters (which can then be hidden in your public message). These characters are used: Unicode Character 'WORD JOINER' (U+2060) Unicode Character 'ZERO WIDTH SPACE' (U+200B) Unicode Character 'ZERO WIDTH NON-JOINER' (U+200C) Craig Hockenberry (tweet): It appears [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[],"tags":[456,30,1529,71,103,48,901,258,96],"class_list":["post-20072","post","type-post","status-publish","format-standard","hentry","tag-googlechrome","tag-mac","tag-macos-10-13","tag-programming","tag-safari","tag-security","tag-swift-programming-language","tag-unicode","tag-web"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/20072","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=20072"}],"version-history":[{"count":2,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/20072\/revisions"}],"predecessor-version":[{"id":20077,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/20072\/revisions\/20077"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=20072"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=20072"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=20072"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}