A German crypto investor and IT expert, known on the Reddit blogging platform as u/Divinux, explained how the predictive text entry feature can compromise a cryptocurrency’s sido phrase.
The blogger’s real name is Andre. He posted a warning on the r/CryptoCurrency subreddit that his smartphone is capable of predicting the source phrase to restore access to the cryptocurrency – when the first word from the BIP 39 list is typed.
The BIP 39 (Bitcoin Improvement Proposal #39) defines 2,048 different words, listed in alphabetical order. A random combination of words from the list acts as an initial sid-phrase, one of the main layers of protection against unauthorised access to a user’s cryptocurrency assets.
“I was stunned and it seemed that the first couple of words might have just been a coincidence. Then I saw my phone literally guessing a Cid phrase of 12-24 words,” Andre shared his observation.
Aware of the potential impact of the information he received if it fell into the wrong hands prompted the blogger to “tell people about it”. The German investor’s experiments showed that Google’s GBoard was the least vulnerable because the software did not predict every word in the correct order. Microsoft’s Swiftkey keyboard was able to predict the original phrase thanks to its default settings, while Samsung’s keyboard can predict words if “Auto-Swap” and “Suggest Text Correction” are enabled. Andre wondered about the ease with which hackers could use this feature to access user funds simply by typing the first word from the BIP 39 list:
“Take your phone in your hand, launch any chat app, start typing any words from the BIP39 list and see what the phone suggests.”
One of the reasons creating the opportunity for sido phrase compromise when entering text on smartphones, André believes predictive cache data is stored in the mobile phone.
Cybersecurity agency Peckshield reported that attackers flooded the Internet with phishing sites of gaming project Stepn to steal sido phrases from users’ wallets.