The seed phrase is a random combination of words from the Bitcoin Improvement Protocol (BIP) 39 2048 word list and is one of the primary security layers to prevent unauthorized access to a user’s encrypted assets. But what happens when your “smart” phone’s predictive input remembers and prompts for those words the next time you try to access your digital wallet?
Andre, a 33-year-old IT professional from Germany, recently posted on the r/CryptoCurrency subreddit after discovering that his phone was able to predict the entire recovery mnemonic immediately after typing the first word.
As a fair warning to Redditors and crypto enthusiasts, Andre’s post highlights how easily hackers can use the feature to drain users’ funds, just by being able to type the first word from the BIP 39 list:
“This makes it easy to attack, pick up your phone, launch any chat app, start typing any word on the BIP39 list, and see what your phone suggests.”
Speaking to Cointelegraph, Andre, known on Reddit as u/Divinux, shared his shock when he first experienced his phone literally guessing 12-24 word seed phrases. “First of all, I was stunned. The first two words are probably a coincidence, right?”
Being a tech-savvy person, the German cryptocurrency investor was able to recreate the scene where his phone could accurately predict the mnemonic. After realizing the impact this information could have if it fell into the wrong hands, “I thought I should tell people about it. I’m sure there are other people who have also entered seeds into their phones.”
Andre’s experiments confirmed that Google’s GBoard was the least vulnerable because the software couldn’t predict each word in the correct order. However, Microsoft’s Swiftkey keyboard is able to predict seed phrases directly. The Samsung keyboard can also predict words if Auto Replace and Suggest Text Corrections are turned on manually.
Andre’s initial use of cryptocurrencies dates back to 2015, when he temporarily lost interest until he realized he could use Bitcoin (BTC) and other cryptocurrencies to buy goods and services. His investment strategy involves buying and staking BTC and altcoins such as Terra (LUNA), Algorand (ALGO), and Tezos (XTZ), then “when/if they go to the moon, the dollar cost averages to BTC.” IT professionals also develop their own coins and tokens as a hobby.
According to Andre, one security measure against possible hacking is to store important long-term assets in hardware wallets. His advice to Redditors around the world: “Not your keys, not your coins, do your own research, don’t FOMO, never invest more than you’re willing to lose, always double-check the addresses you’re sending to, always is to send a small amount in advance and disable your PM in the settings,” concludes:
“Do yourself a favor and prevent this from happening by clearing your prediction type cache.”
related: STEPN impostors steal users’ mnemonics, warn security experts
Blockchain security firm PeckShield has warned the crypto community about a spate of phishing sites targeting users of the Web3 lifestyle app STEPN.
#PeckShieldAlert #Phishing PeckShield detected @Stepnofficial Phishing site. They insert fake Metamask browser extensions that steal your mnemonic phrase or prompt you to connect a wallet or “claim” a giveaway. @Metamask @Coinbase @WalletConnect @phantom pic.twitter.com/cmWUcprMAN
— PeckShieldAlert (@PeckShieldAlert) April 25, 2022
As Cointelegraph recently reported, according to PechShield findings, hackers inserted a fake MetaMask browser add-on through which they could steal seed phrases from unsuspecting STEPN users.
Access to mnemonic phrases ensures full control of users’ encrypted funds through the STEPN dashboard.