Show HN: Bitcoin Challenge. Try to steal a plain text private key you can use

[redactsure]

Hi HN, I'm releasing my round one public demo of a new browser security system I've been developing.

There's a real Bitcoin private key (worth $20) in plaintext at app.redactsure.com. You can copy it, paste it, delete it, move it around - full control. But you can't see the actual characters or extract them.

The challenge: Break the protection and take the Bitcoin. First person wins, challenge ends.

Details: - Requires email verification (prevents abuse, no account needed) - 15 minute time limit per session - Currently US only for the demo (latency) - Verify the Bitcoin is real: https://redactsure.com/bitcoinchallenge

Technical approach: - Cloud-hosted browser with real time NER model - Webpages are unmodified - Think of it as selective invisibility for sensitive data. You can interact with it normally, just can't see or extract it

Looking for feedback on edge cases in the hiding/protection algorithm. Happy to answer questions about the implementation.

[cikito2131]

i took the coins (temp email cikito2131@evoxury.com) went to the tools site you linked, main page and to the tool that makes pictures from text. pasted into textbox and it wasn't hidden. Spent more time figuring out how to do the wallet stuff

[redactsure]

lol that's dumb of me. I figured one of the websites would have a vulnerability like that. Images should be hidden but clearly not!

Anyways. Thanks for the feedback! I'll be back when I add a patch.

[redactsure]

bug was literally 1 line of code.

I might be back up today if you want another shot.

I had no idea evil tester website had so many tools throughout it!

[chistev]

Smart people exist.

[redactsure]

Challenge is back up if anyone is still interested in a try: https://redactsure.com/bitcoinchallenge/

[redactsure]

Challenge is back up if anyone is still interested in a try:

https://redactsure.com/bitcoinchallenge/

[howdoibtc]

fwiw I was able to get a private key out of the system, but there's no BTC/transactions associated with it. Dunno if that's an error on my part (although the key has a valid checksum) or the wrong key got uploaded.

[halfcat]

If the data exists on the client, isn’t it going to be susceptible to compromise no matter what?

[redactsure]

It is not on the client. Challenge is back up please give it a try.

https://redactsure.com/bitcoinchallenge/

[shibeprime]

So its over and 3PCVMB3GfvRrMG9cav6EQwSBoWzjS7gLiW got it?

[redactsure]

yup if I can fix the problem today I'll launch tomorrow same thing.

[Disposal8433]

> 15 minute time limit per session

Why? That's not how security works.

[redactsure]

I have to to host a gpu node per session so 15min is to reduce cost and allow more people to try it.

It's not traditional security testing. I want you to break the hiding algorithm which requires no security knowledge other than copy paste and typing.

The private key is in plain text on the instance you can copy and paste it or delete it anywhere you like.