Seed Sentences, a random combination of words from the Bitcoin Improvement Protocol (BIP) 39 list of 2048 words, acts as one of the primary layers of security against unauthorized access to a user’s crypto holdings. But what happens when your “smart” phone’s predictive entry remembers and suggests words the next time you try to access your digital wallet?
Andre, a 33-year-old IT professional from Germany, recently wrote on r / CryptoCurrency subreddit after discovering his mobile phone’s ability to predict the entire recovery seed as soon as he wrote the first word.
As a fair warning to other Redditors and crypto enthusiasts, Andre’s post highlighted the ease with which hackers can use the feature to drain a user’s money simply by being able to write the first word out of the BIP 39 list:
“This makes it easy to attack, get your fingers on a phone, launch any chat app and start typing words from the BIP39 list and see what the phone suggests.”
Speaking to Cointelegraph, Andre, also known as u / Divinux on Reddit, shared his shock when he first saw his phone literally guess the 12-24 word phrase. “First of all, I was shocked. The first few words could be a coincidence, right?”
As a technically savvy person, the German crypto investor was able to reproduce the scenario where his mobile phone could accurately predict the seedings. After realizing the possible effect of this information if it went out into the wrong hands, “I thought I should tell people about it. I’m sure there are others who have also typed seeds into their telephone.”
Others’ experiments confirmed that Google’s GBoard was the least vulnerable, as the software did not predict every word in the correct order. However, Microsoft’s Swiftkey keyboard was able to predict the seed set right out of the box. The Samsung keyboard can also predict the words if “Automatic replacement” and “Suggest text corrections” have been activated manually.
Others’ first round of crypto goes back to 2015, when he momentarily lost interest until he realized he could buy goods and services using Bitcoin (BTC) and other cryptocurrencies. His investment strategy involves buying and betting BTC and altcoins such as Terra (LUNA), Algorand (ALGO) and Tezos (XTZ) and “then dollar costs average out in BTC when / if they moons.” The IT professional also develops his own coins and tokens as a hobby.
A precaution against possible hacks, according to Andre, is to store significant and long-term inventories in a hardware wallet. To Redditors worldwide he advises “not your keys, not your coins, do your own research, do not FOMO, never invest more than you are willing to lose, always double check the address you send to, always send a small amount in advance and disable your PMs in settings, “concludes:
“Make yourself solid and prevent that from happening by clearing your predictive type cache.”
Related: STEPN imitators stealing users’ seed sentences warn security experts
Blockchain security firm PeckShield warned the crypto community about a large number of phishing sites targeting users of the Web3 lifestyle app STEPN.
#PeckShieldAlert #phishing PeckShield has discovered a bath of @Stepnofficial phishing sites. They insert a fake Metamask browser extension that leads to stealing your seeding or asking you to plug in your wallets or “Claim” giveaway. @Metamask @Coinbase @WalletConnect @fantom pic.twitter.com/cmWUcprMAN
– PeckShieldAlert (@PeckShieldAlert) April 25, 2022
As Cointelegraph recently reported, based on PechShield’s findings, hackers are inserting a fake MetaMask browser plugin through which they can steal seed statements from unsuspecting STEPN users.
Seed phrase access guarantees complete control over the user’s cryptocurrencies via the STEPN dashboard.