72Trust
Likely Accurate
π Web Verified
Christine Lemmer-WebberonMastodon15h ago
ChatGPT Won't Let You Type Until Cloudflare Reads Your React State. I Decrypted the Program That Does It https://www.buchodi.com/chatgpt-wont-let-you-type-until-cloudflare-reads-your-react-state-i-decrypted-the-program-that-does-it/
There's a comment by one of OpenAI's employees over on Hacker News https://news.ycombinator.com/item?id=47567575
Of course, the irony of "this is being done to be able to keep our endpoints from being abused" isn't being lost over there either https://news.ycombinator.com/item?id=47568172
I continue to say: I am not against AI, but I *am* against the AI industry (and deeply critical of the effectiveness of current tech and its risks vs how it is sold), and a large portion of it is the intentional power grab dynamics and hypocrisy.
Hard to think of a better example of hypocrisy that apparently one of the mitigations is that they require clients to execute proof of work! Anubis, anyone?
Trust Metrics
78
82
65
55
Claim Accuracy78%
Source Quality82%
Framing & Tone65%
Context55%
Analysis Summary
A security researcher decrypted Cloudflare Turnstile's bot-detection program used by ChatGPT and found it collects 55 browser, network, and React properties to verify you're running the actual applicationβnot just a headless bot. The technical analysis is detailed and appears rigorous (50/50 successful decryptions claimed), but the specifics can't be independently verified without live access. The post frames this as a 'power grab' and hypocrisy by OpenAI, which is commentary on OpenAI's public stance versus actual practicesβa fair rhetorical point but separate from the technical findings.
Claims Analysis (5)
βChatGPT triggers a Cloudflare Turnstile program that runs silently in your browserβ
Technical analysis with detailed decryption of 377 samples. Cloudflare Turnstile is publicly documented; article provides specific technical evidence of its deployment in ChatGPT.
βThe Turnstile program checks 55 properties spanning browser, network, and React application layersβ
Article lists specific properties and their categories. Claims are technically detailed and internally consistent. Cloudflare's actual implementation details cannot be independently verified outside the decryption analysis provided.
βThe program verifies that you're running a real browser that has fully booted a specific React applicationβ
Article demonstrates React internals checking (__reactRouterContext, loaderData). The inference about 'full boot' requirement is reasonable but derived from bytecode analysis, not Cloudflare/OpenAI's stated design.
βThe Turnstile bytecode arrives encrypted and can be decrypted using the XOR key embedded in the payloadβ
Technical walkthrough appears rigorous with 50/50 verification claimed. The decryption chain is detailed. However, we cannot independently replicate the decryption without access to live ChatGPT traffic.
βOne mitigation involves requiring clients to execute proof of workβ
Post mentions 'proof of work' requirement but the article excerpt doesn't detail this as a separate mechanismβit describes Turnstile fingerprinting. Post may be referring to undescribed challenge layers but specificity is unclear.
Verify Yourself
Was this analysis helpful?
Try ClearFeed free β