Stories
Slash Boxes
Comments

SoylentNews is people

Be Careful What You Copy: Invisibly Inserting Usernames Into Text

posted by Fnord666 on Thursday April 05 2018, @08:27PM   Printer-friendly
from the digital-fingerprints dept.

Arthur T Knackerbracket has found the following story:

Zero-width characters are invisible, ‘non-printing’ characters that are not displayed by the majority of applications. F​or exam​ple, I’ve ins​erted 10 ze​ro-width spa​ces in​to thi​s sentence, c​an you tel​​l? (Hint: paste the sentence into Diff Checker to see the locations of the characters!). These characters can be used to ‘fingerprint’ text for certain users.

Well, the original reason isn’t too exciting. A few years ago I was a member of a team that participated in competitive tournaments across a variety of video games. This team had a private message board, used to post important announcements amongst other things. Eventually these announcements would appear elsewhere on the web, posted to mock the team and more significantly; ensuring the message board was redundant for sharing confidential information and tactics.

The security of the site seemed pretty tight so the theory was that a logged-in user was simply copying the announcement and posting it elsewhere. I created a script that allowed the team to invisibly fingerprint each announcement with the username of the user it is being displayed to.

I saw a lot of interest in zero-width characters from a recent post by Zach Aysan so I thought I’d publish this method here along with an interactive demo to share with everyone. The code examples have been updated to use modern JavaScript but the overall logic is the same.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Be Careful What You Copy: Invisibly Inserting Usernames Into Text | Log In/Create an Account | Top | 91 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Informative) by takyon on Thursday April 05 2018, @09:54PM (1 child)

    by takyon (881) <takyonNO@SPAMsoylentnews.org> on Thursday April 05 2018, @09:54PM (#663122) Journal

    I don't think that's the case. I copied this string below into this very reply box, and the characters are hidden:

    Confidential Announcement: ‌​​​‌​‌‌‍‌​​‌‌​‌​‍‌​​​‌‌​​‍‌​​​‌​‌‌‍‌​​‌‌​‌​‍‌​​​‌‌​‌This is some confidential text that you really shouldn't be sharing anywhere else.

    There is no JavaScript on SoylentNews or my extension that would cause it to behave differently.

    But on the diff checker link and this tool [0xcc.net] (made obvious in the URL textarea, where you see the regular characters and then a massive amount of encoded ones) they can be seen. It has nothing to do with JavaScript, but may have something to do with how your system handles fonts and Unicode.

    --
    [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 1) by anubi on Friday April 06 2018, @06:39AM

    by anubi (2828) on Friday April 06 2018, @06:39AM (#663300) Journal

    I have Javascript blocked, the example string looked perfectly normal. When I copypasta to Notepad, it still looks fine, but when I copypasta to TextPad, I get a lot of whitespace between the "T" and the "h" of the word "This" in the document.

    If this becomes commonplace, I may well have to drop back to my old DOS programmer's editor, which I know for a fact neither places nor honors unseen characters, and anything fishy shows up as hex. That was during my days of using Assembler.

    This is another glaring example of WHY I am so reticent to adopt "new" technology. This kinda flying blind crap is for businessmen. Not for engineers.

    --
    "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]