Invisible Malicious Unicode Risks

From Kicksecure
Jump to navigation Jump to search

This wiki page explains the security risk of invisible characters in Unicode that can be copied and pasted into terminal emulators or introduced as vulnerabilities/backdoors in source code contributions, along with documentation that can help to check files and folders for malicious Unicode.

Videos general icon OOPS! They tricked me to install MALWARE! Clipboard Hidden Text Attacks explained YouTube icon Invidious icon Onion icon

Unicode as a Security Risk[edit]

There are invisible characters that might be copied that can do malicious actions. This is a security risk for:

  • A) For users: Commands copied and pasted into a terminal emulator.
  • B) For developers: Introduction of invisible vulnerabilities or backdoors through source code contributions.

These adversarial encodings produce no visual artifacts probably in most editors and terminals.

Original attack research: https://trojansource.codes/archive.org

Forum discussion: https://forums.whonix.org/t/detecting-malicious-unicode-in-source-code-and-pull-requests/13754archive.org

Checking Files for Unicode[edit]

NOTE: Not all unicode in files is necessarily malicious. Only some unicode characters in some files is suspicious or potentially malicious.

grep-find-unicode-wrapper [1] can help to check files for unicode.

Syntax for files:

grep-find-unicode-wrapper /path/to/filename

Example for files:

Note: The following example check file ~/.bashrc. Replace ~/.bashrc with the actual file to check.

grep-find-unicode-wrapper ~/.bashrc

Syntax for folders:

grep-find-unicode-wrapper -r /path/to/folder

Example for folders:

Note: The following example check the user's home folder. Replace ~/ with a different folder if another folder should be checked.

grep-find-unicode-wrapper -r ~/

Expected output:

  • A) If no unicode has been found: None.
  • B) If unicode has been found: All lines that include unicode.

Resources[edit]

gcc protects from this https://www.phoronix.com/news/GCC-LLVM-Trojan-Sourcearchive.org but other compilers and script interpreters don't even have bug reports.

See Also[edit]

Footnotes[edit]

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!