Skip to content
July 9, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Watchtower
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Vulnerability Report
Light/Dark Button
  • Home
  • News
  • Technology
  • Columbia University researchers found a new way to hide information in plain text
  • Technology

Columbia University researchers found a new way to hide information in plain text

Do Son May 11, 2018 3 minutes read
FontCode
Add Daily CyberSecurity as a preferred source on Google

Columbia Engineering Computer scientists invented a new method, FontCode, that can embed hidden information in the text without interfering with text. The FontCode creation uses font perturbation to encode information, which can then be decoded to recover the information. Unlike other methods of hiding text and documents embedded with information, this method is suitable for most fonts and document types, even when printing documents or converting to other file types. The study will be presented at SIGGRAPH in Vancouver on August 12-16.

Changxi Zheng, associate professor of computer science and the paper’s senior author said:

“While there are obvious applications for espionage, we think FontCode has even more practical uses for companies wanting to prevent document tampering or protect copyrights, and for retailers and artists wanting to embed QR codes and other metadata without altering the look or layout of a document”

Zheng led his students to create this method of text steganography, which can embed texts, metadata, URLs, or digital signatures into text documents or images, whether digital or paper-based. It works with popular font families such as Times Roman, Helvetica, and Calibri, and is compatible with most word processors (including Word and FrameMaker) and image editing and drawing programs (such as Photoshop and Illustrator). Since each letter may be disturbed, the amount of information secretly conveyed is limited only by the length of the regular text. Information uses subtle font perturbation coding—changing the stroke width, adjusting the height of the ascent and descent, or adjusting the curves of the letters o, p, and b, for example.

Hidden data using FontCode can be very difficult to detect. Even if an attacker detects a font change between two texts, it is impractical to scan every file in the company.

Data hidden using FontCode can be extremely difficult to detect. Even if an attacker detects font changes between two texts—highly unlikely given the subtlety of the perturbations—it simply isn’t practical to scan every file going and coming within a company. “Encryption is just a backup level of protection in case an attacker can detect the use of font changes to convey secret information,” says Zheng. “It’s very difficult to see the changes, so they are really hard to detect—this makes FontCode a very powerful technique to get data past existing defenses.”

The research author has submitted a patent to Columbia Technology Ventures and plans to extend FontCode to other languages and character sets, including Chinese.

“We are excited about the broad array of applications for FontCode,” said Zheng. “from document management software, to invisible QR codes, to protection of legal documents. FontCode could be a game changer..”

Suggest Reading:

FontCode: Embedding Information in Text Documents using Glyph Perturbation

Source: TechXplore 

Get Zero-Hour Vulnerability Alerts

Critical CVEs, CVSS scores, and PoC updates — straight to your inbox every week.


We respect your inbox. Unsubscribe anytime.

Related coverage

  • ‘Vibe Working’ Is Here: Microsoft Introduces AI Agent Mode for Word and Excel
  • Apple released iOS and macOS system updates to fix Specter vulnerabilities
  • Dolby Vision 2 Arrives: A New Imaging Standard Promises “Beyond HDR” Quality
  • Microsoft released KB4073578, KB4073576 patch to fix unbootable state AMD computer
  • Google Unveils Flow, Veo 3, Imagen 4: New Era of AI Media Creation

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: FontCode

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-55255CVSS 8.4
    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, an Insecure Direct...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-48908
    A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-56290
    The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-20896CVSS 9.8
    Gitea Docker image: `REVERSE_PROXY_TRUSTED_PROXIES = *` default lets any source IP impersonate any user via `X-WEBAUTH-USER`
    Admin intel📅 Updated: Jul 6, 2026
  • CVE-2026-48282CVSS 10.0
    ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted...
    Admin intelCISA KEV📅 Added to KEV: Jul 7, 2026📅 Updated: Jul 3, 2026
  • CVE-2024-14037CVSS 9.8
    Redsea Cloud eHR contains an arbitrary file upload vulnerability that allows unauthenticated attackers to achieve remote code execution...
    Admin intel📅 Updated: Jul 3, 2026
  • CVE-2026-8451CVSS 8.8
    Insufficient input validation in NetScaler ADC and NetScaler Gateway leading to memory overread if NetScaler ADC or NetScaler Gateway is configured...
    Admin intel📅 Updated: Jul 2, 2026
  • CVE-2026-8037CVSS 9.6
    OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to...
    Admin intel📅 Updated: Jul 1, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-14245CVSS 9.8
    The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is...
  • CVE-2026-47646CVSS 9.3
    Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics...
  • CVE-2026-54782CVSS 10.0
    CoreWCF is a port of the service side of Windows Communication Foundation...
  • CVE-2026-44024CVSS 9.8
    Fluentd collects events from various data sources and writes them to files,...
  • CVE-2026-53649CVSS 9.6
    # Unauthenticated Cross-Origin Plugin Upload Leads to RCE (Joro ≤ v1.1.0) **Severity:**...
  • CVE-2026-52831CVSS 10.0
    ## Summary Nuclio controller builds a `curl` invocation string for each cron...
  • CVE-2026-9074CVSS 9.1
    IBM API Connect 10.0.8.0 through 10.0.8.9 and 12.1.0.0 through 12.1.0.3 contains an unauthenticated SQL...
  • CVE-2026-15062CVSS 9.6
    SQL injection vulnerabilities in the Snowflake Snowpark Python SDK (snowpark-python) versions prior...
  • CVE-2026-59702CVSS 9.3
    repomix contains a server-side request forgery vulnerability in the POST /api/pack endpoint...
  • CVE-2026-54061CVSS 9.1
    Dgraph is an open source distributed GraphQL database. Prior to version 25.3.5,...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • Disclaimer
    • Privacy Policy
    • DMCA NOTICE
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.