Monero seed "encryption" is vulnerable to known-plaintext key recovery
Adding a random number to your plaintext is not encryption unfortunately… I wish it was that simple. If you are using Monero's seed encryption feature and you are unsure about the implications of this weakness you should generate a new wallet, send all your funds to it and encrypt your seed using gpg's symmetric encryption feature.
Where is the bug?
Why is it a problem?
Adding a random number which represents the password to the plaintext compromises any other ciphertext that shares the same password if a plaintext is ever revealed. In cryptographic parlance this is known as a key recovery attack.
How can it be fixed?
The problem is caused by shoehorning security into an old format - 25 word format does not have enough room to fit an initialization vector. Encrypted seed should be extended by 6 words to include a 64-bit IV and a proper encryption algorithm should be used to protect it. Alternatively a GPG-like message format should replace words.
Why not report it through Monero’s VRP or HackerOne?
Monero project has a fairly long-standing tradition of attacking security researchers [ 1 ] [ 2 ] [ 3 ]. I don't consider the money to be worth the aggro. If that position ever changes in the future, I will be happy to work with them.
Is this bug present in Ryo?
No, we removed the seed encryption feature for now.