Security News > 2021 > November > Trojan Source attack: Code that says one thing to humans tells your compiler something very different, warn academics
Boucher and Anderson discovered that they can be misused to misrepresent source code.
"Our key insight is that we can reorder source code characters in such a way that the resulting display order also represents syntactically valid source code."
Concerningly, the academics say that Microsoft's VS Code and Apple's Xcode text editors don't highlight the use of bidi characters as prominently as they might - while praising Vim for showing them as "Numerical code points."
Professor Anderson told The Register: "Most programming languages let you put in string literals and in comments, so you can use them in source code: code that appears innocuous to a human reviewer can actually do something nasty. That's bad news for projects like Linux and Webkit that accept contributions from random people, subject them to manual review, then incorporate them into critical code."
The same principle can be applied to other languages, including C, C#, C++ and JavaScript as well as Rust - though for the latter, yesterday's update to version 1.56.0 sees Rust rejecting code containing bidi characters.
"Martin Lee, EMEA outreach manager for Cisco Talos, commented to The Register:"Managing security risk is all the more difficult when threat actors are able to compromise source code, or software update systems, in order to integrate malicious functionality within otherwise legitimate software.