With a simple web-based tool, you can hide secret messages for family, friends, and fellow spies inside of plain text communications, and anyone that intercepts the messages will be none the wiser.
Steganography is the art of hiding secret messages comprised of text, code, audio, images, video, documents, and even physical objects behind a surface layer of seemingly ordinary and benign digital or tangible content. Steganographic communications are commonly used in espionage, malicious payloads, and whistleblowing — even in simple private chats by regular people online.
You can use it to hide social security and credit card numbers, addresses, sensitive information, and other private data over convenient messaging platforms without making it super obvious. An average user wouldn't think twice about it, and hackers that use man-in-the-middle attacks and other hacking methods to intercept your communications won't waste time checking everything for hidden content.
Hiding Plain Text with Zero-Width Characters
Some tools can easily embed hidden communications inside of images, audio files, and other files types. Still, one of the simplest and least suspicious ways to conceal secret messages is behind a layer of plain text.
That's where invisible zero-width "non-printing" characters come into play, such as the zero-width space and zero-width non-joiner. These formatting characters are used in Unicode for various reasons, such as to display other languages correctly, and they work great for concealing written messages or fingerprinting data.
The simplest way to use zero-width characters for steganography is by converting the plain text of a secret message into binary data. Then, that binary data is converted into a string of zero-width characters, which are then snuck into public-facing text. The hidden message remains invisible until extracted, where it's then converted back to binary data and then plain text.
This sentence isn't hiding anything.
But this sentence is concealing a secret message.
Concealing and Extracting Hidden Messages
Steganographr is a web-based app available at neatnik.net/steganographr that uses the word joiner (U+2060), zero-width space (U+200B), and zero-width non-joiner (U+200C) characters to mask private written communications behind a layer of public-facing text. These characters are commonly abbreviated as WJ, ZWSP, and ZWNJ, respectively.
While there are more advanced tools for hiding text within text, such as those that utilize encryption algorithms and passwords for another layer of protection, many of them aren't cross-platform, and some that are, like Paranoia Text Encryption, are overly complicated to use.
Since it's a web app, you can use it on your iPhone, Android device, Mac, Windows PC, Linux computer, and any other device that can open the app in a browser. To use it, go to neatnik.net/steganographr in your web browser, enter the public-facing text in the "Public message" field under the "Hide" tab, then the hidden message text in the "Private message" field, and hit the "Steganographize" button.
To decode a message to reveal its hidden text, simply copy the public-facing text, paste it into the "Public message" field under the "Reveal" tab, and hit the "Desteganographize" button.
You can send these secret messages in most apps and platforms — SMS, iMessage, email, Messenger, Twitter, Facebook, etc. — and you can even embed the concealed text in word documents.
However, know that zero-width characters may count as regular characters on platforms that limit how much room you have to type a message. For example, a WJ counts as two characters on Twitter, while the ZWSP and ZWNJ act as one character each.
Adding Another Layer of Protection
Using Steganographr is a quick way to send plain text hidden behind visible plain text, but it's not the most secure option. The only security it has is that other people do not know there's hidden text masquerading as regular text. If they suspect anything, they can use a tool like Steganographr to decode the zero-width string to binary and then the hidden message.
However, you can use Steganographr in combination with an encryption tool to further protect the message you're sending. There are many online tools for encrypting and decrypting text. You can use one of those to add asymmetric (where two mathematically connected keys are needed to encrypt and decrypt) or symmetric encryption (where only one key is required).
Making Steganographr More Convenient to Use
To get fast access to Steganographr, consider bookmarking it in all your browsers. You can also create shortcuts to jump directly to the tool instead of having to open the browser first. For example, you can add an icon for the Steganographr web app to your Home Screen on a mobile device. On an iPhone and iPad, it will even show up in your App Library.
- Safari (iOS, iPadOS): Share button –> Add to Home Screen
- Chrome (Android): Vertical ellipsis –> Add to Home screen
- Samsung Internet (Android): Three-lined icon –> Add page to –> Home screen
- Firefox (Android): Vertical ellipsis –> Install
- Edge (Android): Ellipsis –> Add to phone –> Add
- MacOS browsers: Highlight, then drag and drop the URL onto your desktop
- Chrome (Desktop): Vertical ellipsis –> Create shortcut
Is Steganographr Safe?
Since Steganographr is a web-based tool, should you be worried about the private messages you're typing or pasting in? The short answer is no. The developer of Steganographr has the source code available online to anyone who wants to check it out. If you are cautious, it's free for anyone to adapt and use, so you could copy and host it on your website or build a mobile app based on the code. If you're interested in doing that, check out the Null Byte article on using Steganographr.
Cover photo and screenshots by Justin Meyer/Gadget Hacks
Comments
No Comments Exist
Be the first, drop a comment!