Not even emoji are safe from hackers - smiley faces can be hijacked to hide data, study claims

(Image credit: Shutterstock)

Researcher finds a way to add invisible text to emojis
It probably can't be used for malware...probably
It could be used for watermarking or bypassing human moderation

A security researcher claims to have discovered a way to hide extra information inside emoji.

Paul Butler explained how he experimented with Unicode and came up with a method that exploits variation selectors (special characters designed to modify the appearance of text but which have no visible effect on most characters). By chaining the selectors together, he was able to encode invisible messages inside an emoji (or any other Unicode character).

Here is how it works: Unicode assigns variation selectors (U+FE00–U+FE0F and U+E0100–U+E01EF) to certain characters, usually to adjust stylistic presentation. However, these selectors can be used to store one byte of data each. Since a sequence of these selectors is preserved even when copy-pasting text, a person could embed a secret message inside an emoji without altering its visible appearance.

Smuggling data

It would seem that the method cannot be used to smuggle malware or malicious code, an application extension, or anything of sorts. However, it could be used to bypass human moderation, or watermark sensitive documents. With these invisible watermarks, an author could be able to track their work being copied and pasted throughout the internet, for example.

Discussing potential defensive measures, Butler said that AI could be of use. While some AI models, such as OpenAI's GPT and Google's Gemini, preserve variation selectors, they do not naturally attempt to decode hidden messages.

However, when paired with code interpreters, AI systems have successfully extracted secret messages within seconds. This suggests that automated detection tools could be developed to counteract potential abuse.

All things considered, this could be seen as an interesting quirk of Unicode. At this time, it’s highly unlikely someone could develop a malicious use for it.

Windows machines are being targeted with ZIP file workaround
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.