According to a security researcher, they have figured out how to conceal additional information within emojis.
Paul Butler described his experiments with Unicode and how he developed a technique that takes advantage of variation selectors, which are special characters intended to alter the appearance of text but do not affect most characters. He was able to encode invisible messages inside an emoji (or any other Unicode character) by chaining the selectors together.
Unicode is a universal character encoding standard maintained by the “Unicode Consortium,” designed to support the use of text in all the world’s writing systems, including characters, symbols, and emojis.
According to Butler, the “technique” works by using variation selectors (U+FE00–U+FE0F and U+E0100–U+E01EF) that Unicode assigns to some characters, usually to change their presentation stylistically. One byte of data can be stored in each of these selectors, allowing a secret message to be embedded inside an emoji without changing its visible appearance. This is because a sequence of these selectors is maintained even when the text is copied and pasted.
Smuggling Data
The technique cannot be used to smuggle malicious code, malware, application extensions, or anything else harmful. However, it could be used for watermarking sensitive documents or evading human moderation. For example, an author may be able to track the copying and pasting of their work online using these invisible watermarks.
According to Butler, AI may help discuss potential defensive strategies. Although some AI models, like Google’s Gemini and OpenAI’s GPT, support variation selectors, they do not automatically try to decode hidden messages.
However, AI systems have been able to extract secret messages in a matter of seconds when combined with code interpreters. This suggests that automated detection tools could be developed to prevent potential misuse.
All things considered, this could be viewed as a fascinating Unicode quirk. At present, there is very little chance that someone will create a malicious use for it.
Meanwhile, according to a recent survey, only 14% of security and risk management leaders can effectively secure organisational data assets while also enabling the data to achieve business objectives, according to Gartner.