Security Bits Logo no alpha channel

Security Bits — 14 November 2021

Feedback & Followups

Deep Dive 1 — the Trojan Source Attack

Security researchers have described a new technique for hiding malicious code so that compilers see it, but humans don’t.

The trick involves abusing Unicode special characters for altering the direction of the flow of text. Most languages are read left-to-right, but some are right-to-left. As well as allowing entire documents to be marked as right-to-left, Unicode provides special hidden characters for switching the text direction of different sections within a single file. This is useful, for example, you need this when you want to write an English document that quotes Arabic or Hebrew passages.

These special characters don’t change the order of the contents in the actual file, they only change the way Unicode-aware views display the text.

Compilers are programs that convert human-written and readable text into binary code computers can execute. Compilers process text files in order, and they completely ignore formatting characters like those for specifying text direction.

The Code editors and IDEs (Integrated Development Environments) used by developers use standard APIs to render text in a human-friendly way, with nice fonts, colours, text styles, and varying weights. Those APIs are generic, used to render text in all sorts of apps, so unlike compilers, they do obey Unicode text direction markers.

This means that by a pure accident of code re-use, it’s possible for code editors to show text in a different order than the compiler will see it. That’s a massive problem because it means the code humans see is not the code the compilers will compile, opening up a universe of nefarious possibilities.

While it would be possible to engineer situations where reversing the order of parts of the code could invert the logic of a conditional in useful ways (e.g. if x < 5 and if 5 < x literally have the opposite meaning to each other), the security researchers found something much more dangerous — if you nest Unicode direction markers in a specific way, you can make sections of text disappear from view completely!. The ability to have code exist but not be visible to humans is obviously extremely valuable to anyone with evil intents!

This sounds bad, but don’t Panic — firstly, before publishing their findings, the researchers responsibly disclosed this issue to important developer software providers, secondly, they checked all of GitHub for examples of this attack in use and found none, and thirdly, the fix is very easy, update code editors and IDEs to show code in the same way compilers interpret it, i.e. ignore Unicode direction markers. (You could fix this with a single regular expression 🙂)

The most likely attack scenario would be so-called supply chain attacks like the infamous SolarWinds attack this year.

Another likely scenario would be to sneak code like this into open source projects. That’s why it’s a big deal that one of the companies given advanced notice was Microsoft, so they were able to fix GitHub so pull requests will not be fooled by this trick.

If you write code, what should you do? If all your code is your own (probably with well-established third-party libraries that you trust), then you’re very unlikely to be affected by this. However, if you maintain code that accepts submissions from anonymous sources, you’ll need to be sure you’re reviewing those changes in an environment that has been updated, like GitHub.

Finally, this is a good reminder of why no one should use software that’s out of support. This is a trivial fix for app developers, but, if you’re using an app no developer is maintaining, you’ll never get this simple fix!


Deep Dive 2 — those Emails from the FBI

Over the weekend many US sysadmins received an email genuinely from the FBI’s mail infrastructure which warned them about some kind of vague security threat and name-dropped a security researcher as the bad guy. The email contained some superb techno-babble the Star Trek writers would be proud of:

Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fastflux technologies, which he proxies through multiple global accelerators.

Strangely, there was no call to action. No link to click on, no request for information, no malicious attachment to open, nothing!

Initial speculation was that it was an attempt to DDOS the FBI by generating lots of calls, or to besmirch the named security researcher, but thanks to Brian Krebs we now have the answer. It was an anonymous security researcher of un-known hat colour who wanted to draw the FBI’s attention to a flaw in one of their websites without having to reveal his identity. Basically, vulnerability disclosure by funny news story!

Thanks to Krebs we also know how it happened. No servers were hacked into, no passwords leaked, guessed, or cracked, and no one socially engineered — it was simply terrible web design leftover from the dark early days of the web when JavaScript was often abused to do things on the client-side that really really should be done on the server.

There was an old web form online that was visible to the public that sent emails in a really dumb way.

Normally when you enter information on a web form it gets submitted to the server where it can be securely validated, and where any needed emails can be securely sent. Server-side code is used for the validation and mailing because it’s invisible to web browsers and can’t be edited using them. Client-side code on the other hand runs in the browser, so browser tools allow visitors to both see and edit the code.

The vulnerable FBI web page composed the subject and body for emails in JavaScript, on the client-side, then submitted the information to a URL on the server that sent whatever it received using the FBI’s mail server. Anyone could submit an HTTP request specifying any subject and any body, and the script would send the email! You could do it by writing some simple HTML with a form whose action was set to the FBI URL that had an appropriately named text box for the subject and text area for the mail body. Or, you could use an AJAX call in your browser’s JavaScript console, or you could use a command-line HTTP utility like curl or wget. Simply put, it’s hard to imagine an easier-to-abuse implementation of what should be basic functionality.

The fix was very easy, the FBI powered down the old server 🙂


❗ Action Alerts

Worthy Warnings

Notable News

Interesting Insights

  • Sophos have released their 2022 Threat Report. It looks back at 2021 and projects forward to 2022. No surprise, 2021 was dominated by ransomware, and 2022 is likely to be too —…
  • Apple have released their transparency report for 2020 — they received fewer requests than the previous year, and they responded with information at a slightly lower rate (77% of the time -v- 80%). Surprisingly, Germany is the highest requestor, followed by the expected big-hitters the US & China. All this needs to be taken with a massive grain of salt because the reporting period ends just before the January 6th insurrection in the US, which very likely resulted in a huge spike which we’ll see in the next report —… &…

Palate Cleansers

  • Somewhat disappointingly, macOS Monterey only shipped with an abstract wallpaper, not with a photographic one like previous California-named OSes from Apple have. Thankfully some local photographers took care of that for us and created a beautiful dynamic wallpaper for Monterey —…
  • A very useful flow chart for when you or your friends or family see something unexpected in the night sky (no, it’s not aliens, but might still be cool!) —…


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top