Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Thursday April 05 2018, @08:27PM   Printer-friendly
from the digital-fingerprints dept.

Zero-width characters are invisible, ‘non-printing’ characters that are not displayed by the majority of applications. F​or exam​ple, I’ve ins​erted 10 ze​ro-width spa​ces in​to thi​s sentence, c​an you tel​​l? (Hint: paste the sentence into Diff Checker to see the locations of the characters!). These characters can be used to ‘fingerprint’ text for certain users.

Well, the original reason isn’t too exciting. A few years ago I was a member of a team that participated in competitive tournaments across a variety of video games. This team had a private message board, used to post important announcements amongst other things. Eventually these announcements would appear elsewhere on the web, posted to mock the team and more significantly; ensuring the message board was redundant for sharing confidential information and tactics.

The security of the site seemed pretty tight so the theory was that a logged-in user was simply copying the announcement and posting it elsewhere. I created a script that allowed the team to invisibly fingerprint each announcement with the username of the user it is being displayed to.

I saw a lot of interest in zero-width characters from a recent post by Zach Aysan so I thought I’d publish this method here along with an interactive demo to share with everyone. The code examples have been updated to use modern JavaScript but the overall logic is the same.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by maxwell demon on Friday April 06 2018, @06:41AM (3 children)

    by maxwell demon (1608) on Friday April 06 2018, @06:41AM (#663301) Journal

    The inserted string shows as: "& # 8 2 0 3 ;" without the double quotes or the actual spaces inserted.

    So in other words, it shows as “​” — why not just write that?

    But then, this is not because of Firefox/Palemoon, but because that's what the site delivers to the browser. If the site had decided to deliver actual Unicode characters instead of HTML entities, then your browser would not show entities in the source.

    --
    The Tao of math: The numbers you can count are not the real numbers.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 1) by speederaser on Friday April 06 2018, @04:10PM (2 children)

    by speederaser (4049) on Friday April 06 2018, @04:10PM (#663466)

    So in other words, it shows as “​” — why not just write that?

    Because "preview" made it invisible when I did it that way, even when I used "Plain Old Text". Just like it appears in preview on this post.

    • (Score: 2) by maxwell demon on Friday April 06 2018, @04:53PM

      by maxwell demon (1608) on Friday April 06 2018, @04:53PM (#663482) Journal

      Hint: &

      --
      The Tao of math: The numbers you can count are not the real numbers.
    • (Score: 2) by Osamabobama on Friday April 06 2018, @09:55PM

      by Osamabobama (5842) on Friday April 06 2018, @09:55PM (#663555)

      My favorite is when the html sorcery is correct, so preview looks fine, but the text-entry window version of the comment also gets changed, so hitting Submit (or Preview, again) will post something else.

      For instance, if you want to show <i>html tags</i> in the post, you format your comment with escape characters so the correct tag shows up in the preview. However, the comment text also strips out the escape characters, so pressing Submit will then post the comment with the tags interpreted, rather than displayed.

      Each cycle is slightly different:

      1. &lti&gthtml tags&lt/i&gt
      2. <i>html tags</i>
      3. html tags
      --
      Appended to the end of comments you post. Max: 120 chars.