Warning: Default mobile functionality can cause you to lose all your cryptocurrencies

Warning: Default mobile functionality can cause you to lose all your cryptocurrencies

Last week, a Reddit user named divine drew attention to a vulnerability found on all mobile phones exposing the seed phrase of their cryptocurrency wallet. In this way, it can cause you to lose all your cryptocurrencies.

The vulnerability is related to the predictive text engine found on both Android and iOS smartphones. So when you type your seed phrase once, the string of words is stored in the memory of the original application.

Of course, the chances of this happening are slim, after all, the attacker would have to have their cell phone handy and guess what the first word is (there are 2048). However, there is still little concern when it comes to maintaining the security of your cryptocurrencies.

What are seed phrases?

Seed phrases are an alternative to using private keys to access cryptocurrency wallets. Proposed in 2013 and used as an industry standard ever since, such phrases, which are usually 12 or 24 words long, are easier to store and enter than the old private keys.

As for the security, it is still the same as the old method. Such a sentence is generated from a list of 2048 words and thus has a difficulty of 2048 to the 12th power (2048*2047*2046…).

Another curiosity is that most wallets, regardless of which cryptocurrencies they store, use the same list created for Bitcoin via BIP-39. Therefore, if you use the same phrase to store multiple coins, the warning is doubled.

Vulnerability on mobile phones

While seed phrases are great and practical, Divinux, a Reddit user, pointed out a vulnerability found on both Android and iOS phones. This would be linked to the predictive text engine, which suggests the next word to type, based on your history.

So since wallets ask you to repeat the 12 words after you create your wallet, so make sure you write them down, they will be saved in your keyboard app forever.

To prove its point, Divinux suggests that people open a chat app (such as WhatsApp and Telegram) and type the first word of the seed phrase. According to the same, the others will appear as a suggestion of the next word to be inserted. It’s like typing “everything” and the app suggests “good”.

Despite this, the attacker should not only have his cell phone in hand, but also be lucky enough to hit the first word of the 2048 on the list. Therefore, even though it is difficult to prevent, Divinux’s comment points out that the vulnerability is even greater for Brazilians.

“In my case, my phone is not in English, so it automatically adds typed words to the dictionary, meaning my custom dictionary contains words in my language and 24 words in English”

How to clear the keyboard history

One of the solutions mentioned by Divinux is to clear your keyboard history be it from Google, Samsung or Apple. This way the keyboard forgets about that combination, as well as all your writing patterns.

The step by step can be found on the official pages of such companies. If you are a Gboard app user, please check Google page, if you are using Samsung keyboard, please visit Samsung page, and finally visit Apple support if you are using iPhone or iPad.

Source: Live Coins