The seed phrase, a random combination of words from the Bitcoin Improvement Protocol (BIP) 39 list of 2048 words, serves as one of the primary layers of protection against unauthorized access to a user’s crypto holdings. But, what happens when your “smart” phone’s predictive typing misses and suggests words the next time you try to access your digital wallet?
Andre, a 33-year-old IT professional from Germany, recently posted on the r/CryptoCurrency subreddit that he discovered his mobile phone’s ability to predict the perfect recovery seed phrase as soon as he typed the first word.
As a fair warning to fellow Redditors and crypto enthusiasts, Andre’s post highlights the ease with which hackers can use the feature to extort user funds, simply typing the first word from the BIP 39 list. Being able to:
“This makes it easy to attack, shake hands on the phone, start any chat app and start typing any word from the BIP39 list and see what the phone suggests.”
Speaking to Cointelegraph, Andre, known on Reddit as u/devinx, shared his shock when he first guessed his phone literally 12-24 word seed phrase. “At first, I was stunned. The first two words could be coincidences, right?”
As a tech-savvy person, the German crypto investor was able to reproduce the scenario in which his mobile phone could accurately predict the seed phrases. After realizing the potential impact of this information falling into the wrong hands, “I thought I should tell people about it. I’m sure there are others who have typed seeds into their phones.”
Andre’s experiments confirmed that Google’s GBoard was the least vulnerable because the software did not predict every word in the correct order. However, Microsoft’s SwiftKey keyboard was able to predict the seed phrase right out of the box. The Samsung keyboard can also guess words if “auto replace” and “suggest text correction” are turned on manually.
Andre’s early stint with crypto dates back to 2015 when he momentarily lost interest until he realized that he could purchase goods and services using bitcoin (BTC) and other cryptocurrencies. Their investment strategy involves buying and betting BTC and altcoins such as Terra (LUNA), Algorand (ALGO) and Tezos (XTZ) and “dollar-cost averaging in BTC when they are over the moon. ” The IT professional also develops his own coins and tokens as a hobby.
According to Andre, a security measure against potential hacks is to store significant and long-term holdings in hardware wallets. To Redditors around the world, he advises, “Not your keys, not your coins, do your own research, don’t FOMO, don’t invest more than you’re willing to lose, always double-check the address you’re at. Sending, always send a small amount beforehand and disable your PM in Settings,” Conclusion:
“Give yourself a solid and prevent this from happening by clearing your cache of predictive types.”
related: STEPN impersonators steal users’ seed phrases, warn security experts
Blockchain security firm PeckShield has warned the crypto community about a large number of phishing websites targeting users of the Web3 lifestyle app STEPN.
#peckshield alert #phishing Peckshield has discovered the bath @stepnofficial Phishing Sites. They put in a wrong MetaMask browser extension to steal your seed phrase or prompt you to add your wallet or “claim” giveaway. @ metamask @ coinbase @wallet connect @ Phantom pic.twitter.com/cmWUcprMAN
— PeckShieldAlert (@PeckShieldAlert) April 25, 2022
As Cointelegraph recently reported, based on PechShield’s findings, hackers inserted a fake MetaMask browser plugin through which they could steal seed phrases from unsuspecting STEPN users.
Access to the seed phrase guarantees full control over the user’s crypto funds through the STEPN dashboard.