redactsure (u/redactsure)

redactsure commented on Break my algorithm –> take the plaintext $20 Bitcoin you can control (Round 4) app.redactsure.com/... · Posted by u/redactsure

howdoibtc · 3 hours ago

Wufoo.com -> Demo -> Form Settings -> Pasting the key in the description caused the preview to show the key.

This was sort of finicky to do, I'm not sure how reproducible it is? I also had the BTC key shoved in a bunch of other fields, some of which became partially visible.

redactsure · 3 hours ago

Thanks! This is a good one. Looks like their dynamic content grabs it and places it there. It's definitely finicky.

It's gonna be a fun debug session. Timing/race conditions are always fun to debug!

redactsure commented on Break my algorithm –> take the plaintext $20 Bitcoin you can control (Round 4) app.redactsure.com/... · Posted by u/redactsure

redactsure · 4 hours ago

I have a new browser security method. Inside this link you'll have access to a virtual browser environment. In this environment you will have the ability to control and access a plain text private bitcoin key worth 20$. There is only a single key, first one to take it ends the challenge for all.

-> Demo Signup: https://app.redactsure.com -> Bitcoin Checker: https://redactsure.com/bitcoinchallenge -> Previous Winners: https://redactsure.com/leaderboard

Note: - No mobile, keyboard required - Requires you to verify an email - Any bug is eligible for a prize if it's something I haven't seen before, just tell me.

Some people were asking about implementation I'll provide a few details. - A server hosted browser - I manipulate what you are seeing on the webpage in real time - While I don't change the underlying webpage I do manipulate your actions to the webpage - A transformer model runs in real time along side you (tries to find all sensitive words you see)

Overall the system's goals are to allow you to perform work without ever seeing the data. It's in a early prototype stage and I expect a large numbers of edge cases just from the nature of the problem. The bitcoin is a proxy to the real goal which is protecting real PII in remote work settings.

It would be nice if you tell me the bug. I would like to post how you broke it.

redactsure commented on See if you can break my hiding algorithm –> take the private key redactsure.com/bitcoincha... · Posted by u/redactsure

cikito2131 · a day ago

got it. went to the html form example, pasted into the text box and then tried uploading a file. "Access to local files ..." text on the top of the page moved the whole page down, exposing the key.

redactsure · a day ago

Ahhh, this is fun. My own security policy working against me! back to top of the leaderboard for you!

redactsure commented on Show HN: Bitcoin Challenge. Try to steal a plain text private key you can use app.redactsure.com/... · Posted by u/redactsure

redactsure · a day ago

Challenge is back up if anyone is still interested in a try: https://redactsure.com/bitcoinchallenge/

redactsure commented on See if you can break my hiding algorithm –> take the private key redactsure.com/bitcoincha... · Posted by u/redactsure

cikito2131 · a day ago

The key Nextgrid pasted is correct, I got the coins under email kiknubesti@necub.com. I got the key by pasting into the text input line in the HTML input types demo and adding spaces after the text. The box blocking the view moved to the left and uncovered some characters. I then selected these characters and while dragging left, the key was revealed one by one, which I then OCRd from the screencap. Though at some point after it, typing spaces after the text wasn't possible anymore with an error message saying that editing is prohibited.

redactsure · a day ago

Up...again

redactsure commented on See if you can break my hiding algorithm –> take the private key redactsure.com/bitcoincha... · Posted by u/redactsure

howdoibtc · a day ago

That explains why the validator error looked entirely different when I tried to reproduce it locally -- I was wondering about that.

And yeah, it's a CTF, gotta hold onto issues until the flag redemption is back up.

redactsure · a day ago

bet you couldn't do it again. It's back up. Patch is a bit hacky but should work plus I blocked the signup page.

Real patch is a chromium update (like a week of work) so imma avoid that until needed.

redactsure commented on See if you can break my hiding algorithm –> take the private key redactsure.com/bitcoincha... · Posted by u/redactsure

howdoibtc · a day ago

Launch Electrum, create a new wallet, "Import Bitcoin addresses or private keys", paste in the recovered key.

If you just paste the raw key, Electrum uses a legacy format, and none of the transactions show up for that private key. Adding the "p2wpkh:" prefix to the key makes the transactions show up, but I realized that well after someone else claimed it.

I don't know if this is an Electrum thing, if this is considered general knowledge now for those who regularly use BTC, or if it's a quirk of how BTC has evolved.

redactsure · a day ago

that was brutal! I knew you were holding out something. Oh man this is a brutal bug as well. That's an OS popup! That's gonna take me some time.

Actually even worse it's neither an OS level or dom level item custom chrome rendering layer.

redactsure commented on See if you can break my hiding algorithm –> take the private key redactsure.com/bitcoincha... · Posted by u/redactsure

howdoibtc · a day ago

Launch Electrum, create a new wallet, "Import Bitcoin addresses or private keys", paste in the recovered key.

If you just paste the raw key, Electrum uses a legacy format, and none of the transactions show up for that private key. Adding the "p2wpkh:" prefix to the key makes the transactions show up, but I realized that well after someone else claimed it.

I don't know if this is an Electrum thing, if this is considered general knowledge now for those who regularly use BTC, or if it's a quirk of how BTC has evolved.

redactsure · a day ago

back up if you want another chance