Security News > 2021 > November > These invisible characters could be hidden backdoors in your JS code

These invisible characters could be hidden backdoors in your JS code
2021-11-10 13:18

A security researcher has shed light on how invisible characters can be snuck into JavaScript code to introduce security risks, like backdoors, into your software.

This week, a researcher has disclosed how certain characters could be injected into JavaScript code to introduce invisible backdoors and security vulnerabilities.

Once again, the result of this expression will always be 'true' as the environment will actually be set equal to ENV PROD, with the interpreter almost ignoring the 'ǃ'. "There are many other characters that look similar to the ones used in code which may be used for such proposes. Unicode calls these characters 'confusables'," states Ettlinger.

Syntax highlighting isn't a reliable approach as invisible characters may not be shown at all, let alone be colorized by the text editor of an IDE. "The attack requires the IDE/text editor to correctly render the invisible characters," explains Ettlinger.

Playing around with invisible Unicode characters isn't new knowledge either.

"The Cambridge team proposes restricting Bidi Unicode characters. As we have shown, homoglyph attacks and invisible characters can pose a threat as well," says Ettlinger.


News URL

https://www.bleepingcomputer.com/news/security/these-invisible-characters-could-be-hidden-backdoors-in-your-js-code/