Seed phrases, a random combination of words from the BIP 39 list of 2048 words, act as one of the primary layers of security against unauthorized access to a user’s crypto holdings. But what happens when your “smartphone’s” predictive typing remembers the words and suggests them the next time you try to access your digital wallet?
Andre, a 33-year-old IT pro from Germany, recently posted on the r/CryptoCurrency subreddit after discovering his cellphone’s ability to predict the entire recovery seed phrase as soon as he typed the first word.
As a fair warning to fellow Redditors and crypto enthusiasts, Andre’s post highlighted the ease with which hackers can use the feature to siphon off a user’s funds by simply typing the first word from the BIP 39 list:
“This makes it easy to attack, get your hands on a phone, launch a chat app and type in any words from the BIP39 list and see what the phone suggests.”
Speaking to Cointelegraph, Andre, aka u/Divinux on Reddit, shared his shock when he first experienced his phone literally guess the seed phrase (12-24 words) – “At first I was stunned – the first few Words could be a coincidence, right ?”
Being a tech savvy person, the German crypto investor was able to reproduce the scenario where his mobile phone was able to accurately predict the seed phrases. After realizing the potential implications of this information if it got into the wrong hands, “I thought I should tell people about it; I’m sure there are others who have seeds typed into their phones as well.”
Andre’s experiments confirmed that Google’s GBoard was the least vulnerable because the software didn’t predict every word in the correct order. However, Microsoft’s Swiftkey keyboard was able to predict the seed phrase immediately. Also the Samsung keyboard can predict the words if “Auto Replace” and “Suggest Text Corrections” are manually enabled.
Andre’s initial stint in crypto dates back to 2015 when he temporarily lost interest until realizing he could buy goods and services with Bitcoin (BTC) and other cryptocurrencies. His investment strategy involves buying and using BTC and altcoins like Terra (LUNA), Algorand (ALGO), and Tezos (XTZ) and “then dollar-cost-averaging (DCA) into BTC when/if they moon.” The IT professional also develops his own coins and tokens as a hobby.
A security measure against possible hacks, according to Andre, is to store significant and long-term holdings in a hardware wallet. To Redditors around the world, OP’s advice is: not your keys, not your coins, DYOR, no FOMO, never invest more than you are willing to lose, always verify the address you send to, send to always a small amount up front and disable your PMs in settings, finally:
“Do yourself a favor and stop this from happening by clearing your predictive type cache.”
Related: STEPN impersonators stealing users’ seed phrases, security researchers warn
Blockchain security firm PeckShield warned the crypto community about a large number of phishing websites targeting users of the Web3 lifestyle app STEPN.
#PeckShieldAlert #phishing PeckShield has detected a bath of @Stepofficial phishing sites. They inject a fake Metamask browser extension that will cause your seed phrase to be stolen, or ask you to connect your wallets or “claim” a freebie. @metamask @coinbase @WalletConnect @Phantom pic.twitter.com/cmWUcprMAN
— PeckShieldAlert (@PeckShieldAlert) April 25, 2022
As Cointelegraph reported, based on PechShield’s findings, hackers inject a fake MetaMask browser plugin that allows them to steal seed phrases from unsuspecting STEPN users.
Access to Seed Phrase guarantees complete control over the user’s crypto funds via the STEPN dashboard.
https://cointelegraph.com/news/warning-smartphone-text-prediction-guesses-crypto-hodler-s-seed-phrase Smartphone text prediction guesses crypto hodler’s seed phrase