Organizations have secrets.

It doesn’t necessarily mean that they’re up to no good; they just may not have all of their corporate plans or internal communications laid bare for the outside world to see.

But what’s to stop someone from simply cutting-and-pasting an internal email and sending it from a webmail account to an external journalist or dumping it anonymously on Pastebin?

Well, whichever side of the leaking problem you’re standing on, there’s something of which you need to be aware.

Even the shortest section of text can contain a hidden “fingerprint” that could identify the source who has leaked the information.

Take a look at these two sentences. Can you tell which one contains a simple secret identifier that could potentially identify a leaker?

This is a test‌.

This is a test.

The use of zero-width characters like a zero-width non-joiner or other zero-width characters such as a zero-width space makes it possible to embed invisible fingerprints into text that survive the cut-and-paste process.

As British researcher Tom Ross details, it’s possible to use the technique to embed any message you like invisibly into a string of text after converting each character into binary and then using a series of zero-width characters to represent each binary digit.

Ross describes how he found a practical purpose for the trick after discovering that someone was leaking discussions from a private video gaming message board:

The security of the site seemed pretty tight so the theory was that a logged-in user was simply copying the announcement and posting it elsewhere. I created a script that allowed the team to invisibly fingerprint each announcement with the username of the user it is being displayed to.

Within a few hours the text had been shared elsewhere with a zero-width string attached. The username (Read more...)