Google Chrome Extension Detects « Zero-Width Character » Fingerprinting Attacks
Software developer Marco Chiappetta has built a Google Chrome extension that can detect attempts to fingerprint text using the « zero-width character » technique.
The extension, named « Replace zero-width characters with emojis » is available on the official Google Chrome Web Store and on GitHub.
Zero-width characters can be used for fingerprinting
Chiappetta built the extension after reading an article penned by British security researcher Tom Ross. In his piece, Ross detailed how organizations could use zero-width characters to fingerprint sensitive text that a user might be tempted to copy-paste in an unauthorized document or another web page.
Ross also published proof-of-concept code —demo here— that takes someone’s username and converts it into binary code, where each 1 is a zero-width space and each 0 is a zero-width non-joiner character.
This binary representation of the username using zero-width characters is then inserted into the sensitive text. Because they are « zero-width » characters, this text blob is invisible to the human eye.
Chrome extension replaces zero-width characters with emojis
Ross published his proof-of-concept code to raise awareness to this type of attacks. Whistleblowers should take particular care.
« Depending on your line of work, it could be vitally important to understand the risks associated with copying text, » Ross says. « Very little applications will try to render the zero-width characters. »
Detecting such attacks usually involves using Linux command-line utilities, something that’s above the skill level of most non-technical users. But this is where Chiappetta came in and created a Chrome extension that replaces zero-width characters with random emojis.
The extension doesn’t execute at page load, and users need to push a button to reveal zero-width characters. This behavior is intentional, so the extension’s emojis wouldn’t blend in with emojis or emoticons already present on a page.
Whistleblowers looking to protect their identities should add this extension to their operational security (OpSec) arsenal, right next to PDF Redact Tools, a utility for securely redacting and stripping metadata from PDF documents before publishing.