Hiding secrets in online text with zero-width characters

Originally published at: https://boingboing.net/2019/10/10/feff-200c-200d-200e-2060-180e.html


Nothing to see here…

‌‎­‍⁠​‌‍​‍​‌ ​⁠‌‌ ​​‌‌‌‌​​​­​‌​⁠​‍‍​ ​⁠‌‌ ​⁠​­­​​⁠‌‌​⁠⁠­‍​​​ ​‌‌​ ​‌‌‍​​ ​​⁠‌​​




Oh, yeah, “Security by Obscurity” . I think Mr. Schneier has something to say about this gambit.

1 Like

Fuuuuuck that one! For some reason Mediawiki, the software that Wikipedia and I use for stuff, is prone to picking that one up in copy-pastes. They’ll lurk in article text causing annoying problems until bots on seek and destroy missions can eliminate them.


Oh man, I used to troll the shit out of a LiveJournal community I didn’t like with a slightly similar trick many years ago. I came up with a technique to hide a autoplaying Vimeo video full of odd sounds in anonymous comments. I set the pixel width and height count in the embed code to ‘0 by 0’ and it was pretty much invisible (i’m not a coder or web designer so I was thoroughly impressed I could come up with such a thing on my own). The moderators had to go to each one of the comments to find the comment that was playing the video :rofl:


I kind of like how these make it hard for cheating intro CS students. “Prof, the code I wrote doesn’t work…”


For the curious, here’s the hidden text:


Here’s more info on this BOM (byte order mark) character from Wikipedia:

Encoding 	Representation (hexadecimal) 	Representation (decimal) 	Bytes as CP1252 characters
UTF-16 (BE) 	FE FF 	       254 255 	        þÿ

“If encountered anywhere in such a text stream, U+FEFF is to be interpreted as a ‘zero width no-break space’.”

I was hoping for a message, but I guess EFF is in there, so good enough.

1 Like

Except any decent text string parser is going to strip out any non-word characters before doing anything with it. Most basic web form encoding/decoding nukes all that.

This topic was automatically closed after 5 days. New replies are no longer allowed.