Seed phrases, a random combination of words from the Bitcoin Enhancement Protocol (BIP) 2048-word list, act as one of the main layers of security against unauthorized access to a user’s cryptocurrencies. But what happens when your “smart” phone’s predictive typing remembers and suggests the words the next time you try to access your digital wallet?
Andre, a 33-year-old IT professional from Germany, recently posted to the r/CryptoCurrency subreddit after discovering his mobile phone’s ability to predict the entire seed recovery phrase as soon as he typed the first word.
As a fair warning to fellow Reddit and crypto enthusiasts, Andre’s post highlighted the ease with which hackers can use the feature to drain a user’s funds just by typing the first word of the BIP list. 39:
“This makes it easy to hack, put your hands on a phone, launch any chat app, and start typing any word on the BIP39 list, and see what the phone suggests.”
Speaking to Cointelegraph, Andre, also known as u/Divinux on Reddit, shared his surprise when he first experienced his phone literally guessing the 12-24 word seed phrase. “First, I was stunned. The first couple of words could be a coincidence, right?”
As a tech-savvy, the German crypto investor was able to reproduce the scenario where his mobile phone could accurately predict the seed phrases. Realizing the potential impact of this information if it got into the wrong hands, “I thought I should tell people. I’m sure other people have also typed seeds into his phone.”
Andre’s experiments confirmed that Google’s GBoard was the least vulnerable, as the software did not predict each word in the correct order. However, Microsoft’s Swiftkey keyboard was able to predict the seed phrase right out of the box. Samsung keyboard can also predict words if the “Auto replace” and “Suggest text corrections” options have been enabled manually.
Andre’s first experience with crypto dates back to 2015, when he momentarily lost interest until he realized he could buy goods and services using Bitcoin (BTC) and other cryptocurrencies. His investment strategy consists of buying and staking BTC and altcoins like Terra (LUNA), Algorand (ALGO) and Tezos (XTZ) and “then averaging the dollar cost in BTC when/if the moon goes away.” This IT professional also develops his own coins and tokens as a hobby.
One security measure against potential hacks, according to André, is to store significant, long-term holdings in a hardware wallet. To Redditors everywhere, he advises “not your keys, not your coins, do your own research, no FOMO, never invest more than you’re willing to lose, always double check the address you’re sending to, always send a small amount beforehand and disable your PMs in the settings”, concluding:
“Do yourself a favor and prevent this from happening by clearing your predictive type cache.”
Blockchain security firm PeckShield has warned the cryptocurrency community about a large number of phishing websites targeting users of the Web3 STEPN lifestyle app.
#PeckShieldAlert #phishing PeckShield has detected a bath of @Stepnofficial phishing sites. They insert a false Metamask browser extension leading to stealing your seed phrase or prompt you to connect your wallets or “Claim” giveaway. @Metamask @Coinbase @WalletConnect @phantom pic.twitter.com/cmWUcprMAN
— PeckShieldAlert (@PeckShieldAlert) April 25, 2022
As Cointelegraph recently reported, based on PechShield’s findings, hackers insert a counterfeit MetaMask browser plugin through which they can steal seed phrases from unsuspecting STEPN users.
Access to the seed phrase ensures full control of the user’s funds through the STEPN control panel.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information set forth herein should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the full amount invested may be lost. The services or products offered are not aimed at or accessible to investors in Spain.