StegCloak is a pure JavaScript steganography module designed in functional programming style, to hide secrets inside text by compressing and encrypting the secret before cloaking it with special unicode invisible characters.
It can be used to safely watermark strings, invisible scripts on webpages, texts on social media or for any other covert communication. Completely invisible!. See how it works in-depth in this medium article or watch our demo to know what it does.
Features
Installing
Using npm,
$ npm install -g stegcloak
Using npm (to use it locally in your program),
$ npm install stegcloak
How it works?
CLI Usage
$ stegcloak hide
hide [options] [secret] [cover]
-fc, –fcover Extract cover text from file
-fs, –fsecret Extract secret text from file
-n, –nocrypt If you don’t need encryption (default: false)
-i, –integrity If additional security of preventing tampering is needed (default: false)
-o, –output Stream the results to an output file
-c, –config Config file
-h, –help display help for command
$ stegcloak reveal
reveal [message]
-f, –file Extract message from file
-cp, –clip Copy message directly from clipboard
-o, –output Stream the secret to an output file
-c, –config Config file
-h, –help display help for command
Additional Support
API Usage
const StegCloak = require('stegcloak'); const stegcloak = new StegCloak(true, false); // Initializes with encryption true and hmac false for hiding // These arguments are used only during hide // Can be changed later by switching boolean flags for stegcloak.encrypt and stegcloak.integrity
What’s HMAC and do I need it?
HMAC is an additional fingerprint security step taken towards tampering of texts and to verify if the message received was actually sent by the intended sender. If the data is sent through WhatsApp, Messenger or any social media platform, this is already taken care of! However, if you are using StegCloak in your program to safely transmit and retrieve, this option can be enabled and StegCloak takes care of it.
Hide
stegcloak.hide(secret,password,cover) -> string
const magic = stegcloak.hide("Voldemort is back", "mischief managed", "The WiFi's not working here!"); // Uses stegcloak.encrypt and stegcloak.integrity booleans for obfuscation console.log(magic); // The WiFi's not working here!
Reveal
stegcloak.reveal(data, password) -> string
const secret = stegcloak.reveal(magic, "mischief managed"); // Automatically detects if encryption or integrity checks were done during hide and acts accordingly console.log(secret); // Voldemort is back
Important
StegCloak doesn’t solve the Alice-Bob-Warden problem, it’s powerful only when people are not looking for it and it helps you achieve that really well, given its invisible properties around the web! It could be safely used for watermarking in forums, invisible tweets, social media etc. Please don’t use it when you know there’s someone who is actively sniffing your data – looking at the unicode characters through a data analysis tool. In that case, even though the secret encoded cannot be deciphered, the fact lies that the Warden (middle-man) knows some secret communication took place, because he would have noticed an unusual amount of special invisible characters.
Resources
The following papers were referred to for insight and understanding of using Zero Width Characters in steganography.
Modern Text Hiding, Text Steganalysis, and Applications: A Comparative Analysis
AITSteg: An Innovative Text Steganography Technique for Hidden Transmission of Text Message via Social Media. IEEE Access
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…