Earlier this week, software engineer Paul Butler published a blog post titled “Smuggling arbitrary data through an emoji.” In it, he showcased a tool he created to allow you to do this yourself and explained how and why the tool works.
Essentially, the exploit here boils down to a fundamental problem with Unicode— the ability to hide bytes of data within any Unicode character by simply not including that data within the render pipeline. Unicode includes a render command past which other data can be bundled but not rendered, and exploiting that effectively allows users to create hidden messages within Unicode characters.