Redditor Andre highlighted the ease with which hackers can use the text prediction feature to drain a user’s funds just by being able to first word out of the BIP 39 list.
Seed phrases, a random combination of words from the Bitcoin Improvement Protocol (BIP) 39 list of 2048 words, act as one of the primary layers of security against unauthorized access to a user’s crypto holdings. But, what happens when your “smart” phone’s predictive typing remembers and suggests the words next time you try to access your digital wallet?
Andre, a 33-year-old IT professional from Germany, recently posted on the r/CryptoCurrency subreddit after discovering his mobile phone’s ability to predict the entire recovery seed phrase as soon as he typed down the first word.
As a fair warning to fellow Redditors and crypto enthusiasts, Andre’s post highlighted the ease with which hackers can use the feature to drain a user’s funds just by being able to type the first word out of the BIP 39 list:
“This makes it easy to attack, get your hands on a phone, start any chat app, and start typing any words off the BIP39 list, and see what the phone suggests.”
Andre, otherwise known as u/Divinux on Reddit, shared his shock when he first experienced his phone literally guessing the 12-24 word seed phrase. “First, I was stunned. The first couple words could be a coincidence, right?”
As a tech-savvy individual, the German crypto investor was able to reproduce the scenario wherein his mobile phone could accurately predict the seed phrases. After realizing the possible impact of this information if it went out to the wrong hands, “I thought I should tell people about it. I’m sure there are others who also have typed seeds into their phone.”
Andre’s experiments confirmed that Google’s GBoard was the least vulnerable as the software did not predict every word in the correct order. However, Microsoft’s Swiftkey keyboard was able to predict the seed phrase right out of the box. The Samsung keyboard, too, can predict the words if “Auto replace” and “Suggest text corrections” have been manually turned on.
Andre’s initial stint with crypto dates back to 2015 when he momentarily lost interest until he realized he could buy goods and services using Bitcoin (BTC) and other cryptocurrencies. His investment strategy involves purchasing and staking BTC and altcoins such as Terra (LUNA), Algorand (ALGO) and Tezos (XTZ) and “then dollar-cost averaging out into BTC when/if they moon.” The IT professional also develops his own coins and tokens as a hobby.
A safety measure against possible hacks, according to Andre, is to store significant and long-term holdings in a hardware wallet. To Redditors across the world, he advises “not your keys not your coins, do your own research, don’t FOMO, never invest more than you are willing to lose, always double-check the address you are sending to, always send a small amount beforehand and disable your PMs in settings,” concluding:
“Do yourself a solid and prevent that from happening by clearing your predictive type cache.”
Blockchain security firm PeckShield warned the crypto community about a large number of phishing websites targeting users of the Web3 lifestyle app STEPN.
#PeckShieldAlert #phishing PeckShield has detected a bath of @Stepnofficial phishing sites. They insert a false Metamask browser extension leading to stealing your seed phrase or prompt you to connect your wallets or “Claim” giveaway. @Metamask @Coinbase @WalletConnect @phantom pic.twitter.com/cmWUcprMAN
— PeckShieldAlert (@PeckShieldAlert) April 25, 2022
Based on PechShield’s findings, hackers insert a forged MetaMask browser plugin through which they can steal seed phrases from unsuspecting STEPN users.
Access to seed phrase guarantees complete control over the user’s crypto funds via the STEPN dashboard.