- Researcher finds a way to add invisible text to emojis
- It probably can’t be used for malware…probably
- It could be used for watermarking or bypassing human moderation
A security researcher claims to have discovered a way to hide extra information inside emoji.
Paul Butler explained how he experimented with Unicode and came up with a method that exploits variation selectors (special characters designed to modify the appearance of text but which have no visible effect on most characters). By chaining the selectors together, he was able to encode invisible messages inside an emoji (or any other Unicode character).
Here is how it works: Unicode assigns variation selectors (U+FE00–U+FE0F and U+E0100–U+E01EF) to certain characters, usually to adjust stylistic presentation. However, these selectors can be used to store one byte of data each. Since a sequence of these selectors is preserved even when copy-pasting text, a person could embed a secret message inside an emoji without altering its visible appearance.
Smuggling data
It would seem that the method cannot be used to smuggle malware or malicious code, an application extension, or anything of sorts. However, it could be used to bypass human moderation, or watermark sensitive documents. With these invisible watermarks, an author could be able to track their work being copied and pasted throughout the internet, for example.
Discussing potential defensive measures, Butler said that AI could be of use. While some AI models, such as OpenAI’s GPT and Google’s Gemini, preserve variation selectors, they do not naturally attempt to decode hidden messages.
However, when paired with code interpreters, AI systems have successfully extracted secret messages within seconds. This suggests that automated detection tools could be developed to counteract potential abuse.
All things considered, this could be seen as an interesting quirk of Unicode. At this time, it’s highly unlikely someone could develop a malicious use for it.
Leave a comment