Feedback

Codebox Software

Homoglyph Detection

Published: 31 Oct 2015

Homoglyphs are characters with different meanings, that look similar/identical to each other - like the digit '0' and the capital letter 'O' for example.

Homoglyphs within a single alphabet tend to be rare for obvious reasons. These days, however, the internet runs on Unicode which means that it is possible to mix the letters from many different languages together in one place, massively increasing the number of homoglyphs.

For example, each of the characters shown below are different, with their own unique Unicode codepoint values, but they all look more-or-less like the capital letter 'A':

A Α А Ꭺ ᗅ ᴀ ꓮ A 𐊠 𝐀 𝐴 𝑨 𝒜 𝓐 𝔄 𝔸 𝕬 𝖠 𝗔 𝘈 𝘼 𝙰 𝚨 𝛢 𝜜 𝝖 𝞐

As well as creating general confusion, homoglyphs can cause particular problems for software developers. For example, if a social media website wants to protect its users from offensive language it may create a 'black-list' of forbidden words, and block any content that contains them. However, someone wishing to use one of the black-listed words could replace one of its letters with a homoglyph - the word would no longer match the one on the black-list, but its meaning would still be apparent to anyone who saw it.

The list below shows some examples of this technique (hover over the words to reveal where regular letters have been replaced with homoglyphs)

  • ϲrеdi
  • lοanƽ
  • weЬcaѕ

I have tried to compile a list of all the homoglyphs I could find, and to make the list useful by processing it in various ways to make it easier to use in software. The list of homoglyphs I used is based on the one that appears on the Unicode Consortium website however this list, although long, was incomplete, so I added some further pairs found thanks to homoglyphs.net

JavaScript and Unicode

As noted by Mathias Bynens, JavaScript has a Unicode Problem. String processing code that works perfectly well with regular English characters can behave in unexpected ways when more exotic ones are used.

In the example below the string 'FOUR' has a length value of '4' as we would expect, however when the letters are replaced with high-value homoglyphs the length is reported as '8'. This problem occurs for any character with a Unicode codepoint value higher than U+FFFF:

    >'FOUR'.length
    4
    >'𐊇𐊒𝐔𝐑'.length
    8

This can cause problems when attempting to process Strings in order to detect homoglyph substitutions; however the JavaScript search function mentioned above uses the new ECMAScript 6 for...of construct which correctly extracts individual characters from a piece of text to allow a search to be performed.

Java and Unicode

Unfortunately, Java also has a Unicode problem! - when the language was designed, the Unicode standard only used 16-bits to encode each character, and so the corresponding Java char data type was specified to have 16-bits as well. The Unicode standard has since been updated to add many more different characters, and more than 16 bits are required to represent them all. This means that we must be careful when handling Strings that contain high-value characters, we can't rely, for example, on the .length() method returning the correct number of characters in a String.

This Java class provides a homoglyph-aware search function that correctly handles high-value Unicode characters by using the 32-bit int datatype to represent codepoint values.

Send Feedback

Use this form to send feedback, if you want a reply please include your email address!