Use invisible zero-width characters to hide secret messages in plain sight

Use invisible zero-width characters to hide secret messages in plain sight

With a simple web tool, you can hide secret messages for family, friends, and fellow spies inside regular text messages, and anyone who intercepts the messages won’t know anything.

Steganography is the art of hiding secret messages, consisting of text, code, audio, images, videos, documents, and even physical objects, behind a surface layer of seemingly ordinary and harmless digital or tangible content. Steganographic messages are commonly used in espionage, malware, and whistleblowing—even in simple private chats of ordinary people on the Internet.

You can use it to hide social security and credit card numbers, addresses, sensitive information, and other personal details on user-friendly messaging platforms without making them too obvious. The average user won’t think about it, and hackers using man-in-the-middle attacks and other hacking techniques to intercept your messages won’t waste time checking everything for hidden content.

Hiding plain text with zero-width characters

Some tools can easily embed hidden communications in images, audio files, and other types of files. However, one of the easiest and least suspicious ways to hide secret messages is with a plain text layer.

This is where the invisible “non-printable”zero-width characters, such as the zero-width space and the zero-width non-joiner, come into play. These formatting characters are used in Unicode for a variety of reasons, such as displaying other languages ​​correctly, and they are great for hiding written messages or fingerprinting data.

The easiest way to use zero-width characters for steganography is to convert the plain text of the secret message to binary data. This binary data is then converted to a zero-width character string, which is then embedded in the public text. The hidden message remains invisible until retrieved, at which point it is converted back to binary data and then to plain text.

This sentence isn't hiding anything.

But this sentence is conc‌​​‌‌​‌⁠‌‌​​​​‌⁠‌‌​‌​‌‌⁠‌‌​​‌​‌⁠‌​​​​​⁠‌‌‌​​‌‌⁠‌‌‌​‌​‌⁠‌‌‌​​‌​⁠‌‌​​‌​‌⁠‌​​​​​⁠‌‌‌​‌​​⁠‌‌​‌‌‌‌⁠‌​​​​​⁠‌‌​​‌‌​⁠‌‌​‌‌‌‌⁠‌‌​‌‌​​⁠‌‌​‌‌​​⁠‌‌​‌‌‌‌⁠‌‌‌​‌‌‌⁠‌​​​​​⁠‌​​​‌‌‌⁠‌‌​​​​‌⁠‌‌​​‌​​⁠‌‌​​‌‌‌⁠‌‌​​‌​‌⁠‌‌‌​‌​​⁠‌​​​​​⁠‌​​‌​​​⁠‌‌​​​​‌⁠‌‌​​​‌‌⁠‌‌​‌​‌‌⁠‌‌‌​​‌‌⁠‌​​​​​⁠‌‌​‌‌‌‌⁠‌‌​‌‌‌​⁠‌​​​​​⁠‌​‌​‌​​⁠‌‌‌​‌‌‌⁠‌‌​‌​​‌⁠‌‌‌​‌​​⁠‌‌‌​‌​​⁠‌‌​​‌​‌⁠‌‌‌​​‌​⁠‌​‌‌​​⁠‌​​​​​⁠‌​​​‌‌​⁠‌‌​​​​‌⁠‌‌​​​‌‌⁠‌‌​​‌​‌⁠‌‌​​​‌​⁠‌‌​‌‌‌‌⁠‌‌​‌‌‌‌⁠‌‌​‌​‌‌⁠‌​‌‌​​⁠‌​​​​​⁠‌‌​​​​‌⁠‌‌​‌‌‌​⁠‌‌​​‌​​⁠‌​​​​​⁠‌​​​‌‌​⁠‌‌​‌‌​​⁠‌‌​‌​​‌⁠‌‌‌​​​​⁠‌‌​​​‌​⁠‌‌​‌‌‌‌⁠‌‌​​​​‌⁠‌‌‌​​‌​⁠‌‌​​‌​​⁠‌​​​​​⁠‌‌​​‌‌​⁠‌‌​‌‌‌‌⁠‌‌‌​​‌​⁠‌​​​​​⁠‌‌​‌‌​‌⁠‌‌​‌‌‌‌⁠‌‌‌​​‌​⁠‌‌​​‌​‌⁠‌​​​​​⁠‌‌​‌​​​⁠‌‌​​​​‌⁠‌‌​​​‌‌⁠‌‌​‌​‌‌⁠‌‌‌​​‌‌⁠‌​‌‌‌​ealing a secret message.

Hiding and Retrieving Hidden Messages

Steganographr is a web application available at eatnik.net/steganographr that uses word concatenation (U+2060), zero-width space (U+200B), and non-concatenation characters (U+200C) for masking. private written communications behind a layer of public text. These characters are usually abbreviated as WJ, ZWSP, and ZWNJ, respectively.

While there are more advanced tools for hiding text within text, such as using encryption algorithms and passwords for another layer of protection, many of them are not cross-platform, and some, such as Paranoia Text Encryption, are overly complex. use.

Since this is a web app, you can use it on your iPhone, Android device, Mac, Windows PC, Linux computer, and any other device that can open the app in a browser. To use it, go to eatnik.net/steganographr in a web browser, enter the public text in the Public Message field on the Hide tab, then the hidden message text in the Private Message field, and click the Steganograph button.

To decrypt a message to reveal its hidden text, simply copy the public text, paste it into the Public Message box on the Reveal tab, and click the Desteganograph button.

You can send these secret messages on most apps and platforms—SMS, iMessage, email, Messenger, Twitter, Facebook, and more—and you can even embed hidden text in text documents.

However, be aware that zero-width characters may be considered regular characters on platforms that limit the space for typing a message. For example, WJ counts as two characters on Twitter, while ZWSP and ZWNJ act as one character each.

Adding another layer of protection

Using Steganographr is a quick way to send plain text hidden behind visible plain text, but it’s not the most secure option. The only security it has is that other people don’t know that the hidden text is masquerading as plain text. If they suspect something, they can use a tool like Steganographr to decode the zero-width string into binary and then into a hidden message.

However, you can use Steganographr in combination with an encryption tool to further secure the message you send. There are many online tools for encrypting and decrypting text. You can use one of these to add asymmetric (where two mathematically related keys are needed for encryption and decryption) or symmetric encryption (where only one key is needed).

Making Steganographr more user-friendly

For quick access to Steganographr, bookmark it in all your browsers. You can also create shortcuts to go directly to the tool instead of opening the browser first. For example, you can add the Steganographr web app icon to the home screen of a mobile device. On iPhone and iPad, it will even appear in your App Library.

  • Safari (iOS, iPadOS): Share Button -> Add to Home Screen
  • Chrome (Android): vertical ellipsis -> Add to home screen
  • Samsung Internet (Android): 3-line icon -> Add page to -> Home screen
  • Firefox (Android): Vertical ellipsis -> Install
  • Edge (Android): Ellipsis -> Add to phone -> Add
  • MacOS browsers: Highlight and then drag the URL to the desktop.
  • Chrome (desktop): Vertical ellipsis -> Create Shortcut

Adding to the iOS home screen from Safari (left); adding a Galaxy to the home screen from Chrome (middle); and adding a Pixel from Firefox to the home screen (right).

Is the steganograph safe?

Since Steganographr is a web-based tool, should you be concerned about the private messages you type or paste? Short answer: no. The developer of Steganographr has the source code available online for anyone who wants to check it out. If you’re careful, anyone can adapt and use it for free, so you can copy and paste it on your website or create a mobile app from the code. If you’re interested, check out Null Byte’s article on using Steganographr.

Leave a Reply

Your email address will not be published. Required fields are marked *