Hackers have learned how to hide secret information in ordinary emoji

Software engineer Paul Butler presented the results of his research on the use of Unicode to create a new cipher. It uses emoji as a basis, which are transmitted openly in any messages. But if you look at them through a decoder written by Butler, you can see a lot of hidden information.

The vulnerability in Unicode stems from the use of VS-1 through VS-256 “variation selectors.” The system does not recognize them as characters, and therefore does not display them on the screen – they are a kind of label with service information. But they can be linked to the displayed content, in this case to emoji. The output is a familiar image, but with the addition of information invisible to humans.

After emoji rendering, it is impossible to see the added information with the human eye or similar verification systems, and it will easily pass control and censorship. One byte of data can be placed in one selector, selectors can be combined into chains, which allows to encrypt almost unlimited amounts of information. For example, to put the equivalent of watermarks in the messages, and then trace the chain of correspondence, thereby breaking the privacy policy in some organization.

Butler found that virtually all major language models have no trouble detecting and decrypting such information. But there are limitations related to the rules of use of specific neural networks for ordinary users, plus one must be able to compose the appropriate prompts.

Butler simplified this task by making a handy tool, it is freely available and anyone can check what lies behind harmless emoji. Or encrypt your own message.

Translated with DeepL.com (free version)