I found this to be a most interesting read.

https://www.zachaysan.com/writing/2017-12-30-zero-width-characters
https://www.zachaysan.com/writing/2018-01-01-fingerprinting-update

a good text editor can clean that. for delicate content, copy the text in a good text editor of your choice and use whatever it has to offer. also use features like "show invisibles" for control.

After discovering these techniques I shared them with some friends to try to help track down a cyber criminal which they thought might be an insider threat (it wasn’t, it was just a normal blackhat hacker). Then the White House started leaking like an old hose, so I continued to keep quiet. The reason I’m writing about this now is that it appears both homoglyph substitution and zero-width fingerprinting have been discovered by others, so journalists should be informed of the existence of these techniques.

his own story makes him look dishonest (reason for writing), unpatriotic (kept quiet), suspicious for both being involved in questionable activity (finding that blackhat) and possibly in an intelligence operation (white house didn't pay him a visit)



Avoid releasing excerpts and raw documents.
Get the same documents from multiple leakers to ensure they have the exact same content on a byte-by-byte level.
Manually retype excerpts to avoid invisible characters and homoglyphs.
Keep excerpts short to limit the amount of information shared.
Use a tool that strips non-whitelisted characters from text before sharing it with others.


and some of his advice makes little sense: no raw documents=no proof, multiple leakers as if its a crowded marketplace, manual retyping may add criminal charges, short excerpts means little leakage

a good text editor can clean that. for delicate content, copy the text in a good text editor of your choice and use whatever it has to offer. also use features like "show invisibles" for control.

True, but non technically-inclined people don't know this and the common wisdom is that "if you paste stuff in Notepad, it loses all formatting and is 'safe' to handle", when this issue doesn't even rely on text formatting.

A cheap workaround I found is to paste the text, but save the file as ANSI and say yes when told that you will lose all Unicode characters. After reopening, the zero-width characters will have transformed into question marks. The problems are that 1. you won't be able to clean text using any characters outside your system locale's code page (which is what "ANSI" actually stands for in Notepad); 2. you have to delete those question marks manually.


his own story makes him look dishonest (reason for writing), unpatriotic (kept quiet), suspicious for both being involved in questionable activity (finding that blackhat) and possibly in an intelligence operation (white house didn't pay him a visit)

I think the author is/was a cybersecurity consultant, so it makes sense that he'd be hired to find a hacker. I didn't really understand the part about the White House, though.

I think the author is/was a cybersecurity consultant, so it makes sense that he'd be hired to find a hacker.

just like in the movies, eh?


I didn't really understand the part about the White House, though.

you'd expect them to question everyone who openly admits having relevant information about their leaks, unless he is already working for their team, which would also explain the kind of advice mentioned above

I found this to be a most interesting read.

https://www.zachaysan.com/writing/2017-12-30-zero-width-characters
https://www.zachaysan.com/writing/2018-01-01-fingerprinting-update


Here are 2 interesting extensions concerning Zero Width Characters:

FF addon to detect it:
ZeroWidth Detection (https://addons.mozilla.org/en-US/firefox/addon/zerowidth-detection)

Checks websites that you visit for invisible zero-width characters and replaces them with a specified character. Has the ability to copy all the characters found.
This addon detect static zero width characters as on the site you provide, and (if the appropriate option is selected) dynamically inserted ZWC too, as in umpox.com/zero-width-detection (https://www.umpox.com/zero-width-detection/).


FF addon to use it:
inØsight — Zero Width Obfuscation (https://addons.mozilla.org/en-US/firefox/addon/in0sight)

Stay protected from Canary Traps while having the capability to hide in plain sight whether that's for hiding personal information or talking to a friend.

Completely open source, advertisement, and log free.

By default all sites support version 1, however rarely some sites such as twitter restrict *some* characters and in that case you can click on the scroll bar inside the ui and use version 2.0 instead.

Version 2.1 supports Protonmail.
More in-depth list to come out in the future.



This page may be useful too:
Python3 code to encode/decode text into zero-width characters (https://github.com/mikkel1156/ZeroWidth-Coder-Python3)

Nice finds. Here is an article which elaborates even more on this matter and will let you test those addons.

https://blog.fastforwardlabs.com/2017/06/23/fingerprinting-documents-with-steganography.html

For a similar concept, see https://www.xn--e1awd7f.com/

Nice finds. Here is an article which elaborates even more on this matter and will let you test those addons.

Alas, the second addon doesn't seem to work here. Tried to insert "anon is a pr0n addict!!!" in my message, but it failed miserabilly :biggrin:




For a similar concept, see https://www.xn--e1awd7f.com/

Yes, similar concept although a little less subtle. But dangerous nevertheless. In FF/about:config you have to set network.IDN_show_punycode to true in order to never be fooled by this homoglyph attack.

Alas, the second addon doesn't seem to work here. Tried to insert "anon is a pr0n addict!!!" in my message, but it failed miserabilly :biggrin:

That's because it's smart, I'm only a casual watcher :eyebrows: