During development of the Polyglottal Cipher, I discovered a critical security vulnerability in how Chrome — and most browsers — handle Unicode characters in URL paths.
Characters that look identical to ASCII but are different Unicode code points can be used to inject malicious paths that appear legitimate to users. The attack bypasses visual inspection entirely.
https://bank.com/loginhttps://bank.com/lοginPhishing attacks that bypass visual inspection. Credential harvesting at scale. Browser security model bypass. Password manager autofill exploitation — the autofill doesn't distinguish between the real URL and the homoglyph variant.
The same knowledge that enables invisible encryption reveals invisible attack vectors. The deep work on Unicode steganography exposed what no one was looking for.