The hidden messages of WhatsApp and Telegram, and Signal are discovering hot water. More important in general is the role of Unicode characters and when their use can cause some problems. For a few days, we have returned to talk about hidden WhatsApp messages or the possibility of sending communications via the well-known instant messaging client that only apparently seem empty. Practical utility? Virtually none.
Some newspapers present this as a joke to contacts who use WhatsApp, Telegram, and Signal since the principle is precisely the same. On the desktop, try to start Microsoft Word or LibreOffice Writer, open a new blank document, type the code 3164, and press ALT + X immediately after. Code 3164 will have transformed into a unique character that effectively takes the form of an empty square. By pressing CTRL + A to select the character, CTRL + C to copy it into memory, and CTRL + V to paste it into the WhatsApp, Telegram, or Signal window, you will get a message that once sent will appear empty, causing some headaches and generating doubts in the recipient.
Pressing the Copy button and then pasting the unique character where you want. Beyond the “curiosity,” U + 3164 is one of the many Unicode special characters obtained and used in many contexts. Unicode is an encoding system that assigns a unique number to each character used for writing texts, independently of the language, the IT platform, and the program used. In the article, we saw how to get symbols, special characters, smileys, and much more just using Unicode encoding.
What’s worth calling attention to is that most messaging clients and collaboration platforms don’t show any homographic attacks. Imagine receiving a URL that seems to point to a famous website such as Facebook, Google / Gmail, Wikipedia, and so on: however, know that the vast majority of web addresses can be written using Unicode characters that only visually resemble Latin ones. Think of the address wikipedia.org: the letters “e” and “a” can be expressed using Cyrillic characters (with Unicode encoding).
Visually it will read wikipedia.org, but that URL will point to a completely different address, for example, xn--wikipedia-g8g.org. The latter address is rendered using Punycode encoding: it is recognized that the address begins with an–. With Punycode, sequences of Unicode characters are expressed using standard ASCII characters. In the example, if the domain xn--wikipdia-g8g.org were managed at the DNS and web server level, the browser would be directed to a page that is not the official one of Wikipedia.
The problem is that in the past, the leading web browsers did not show the Punycode version of the addresses (we talked about it in the article dedicated to the return of homographic attacks ), so it was even easier to launch phishing attacks and make a user believe that he was on an official website when in fact he was visiting a dangerous unauthorized copy set up by cybercriminals. In most cases today, you also receive warnings like the one shown in the figure: here, Chrome warns that the destination site is not reliable.
The hidden messages of WhatsApp and associates allow us to draw attention to a significant problem: messaging clients and other platforms for online collaboration do not use the Punycode form for messages received from other users. So pay attention to the structure of the links, where you click, and the page proposed on the browser side. Here are many examples of homographic attacks: try copying and pasting into a messaging client to see how each URL looks. For each application, it is indicated how the URL containing Unicode characters is handled.
Also Read: How To Disable Google Photos
