Could malicious backdoors be hiding in your code, that otherwise appears perfectly clean to the human eye and text editors alike?
A security researcher has shed light on how invisible characters can be snuck into JavaScript code to introduce security risks, like backdoors, into your software.
Not everything is what it seems, in Unicode
Earlier this month, University of Cambridge researchers revealed a clever attack dubbed ‘Trojan Source’ for injecting vulnerabilities into the source code, in a way that the malicious code cannot be easily detected by human reviewers.
The method works with some of the most widely used programming languages today and adversaries could use it for supply-chain attacks.
Trojan Source attack, however, leverages the ambiguity introduced by homoglyphs, and the Unicode bidirectional mechanism (Bidi)—a feature used for accommodating both left-to-right and right-to-left character sets.
This week, a researcher has disclosed how certain characters could be injected into JavaScript code to introduce invisible backdoors and security vulnerabilities.