Cloudflare Turnstile WebGL Check Blocks Privacy-Focused Browsers
The incident highlights a fundamental clash between privacy-focused browser hardening and the fingerprinting techniques that CAPTCHA replacements like Turnstile rely on to block bots.
Reporting from 1 sources: GIGAZINE.
Haelwenn Monnier, developer of the BadWolf browser, reported that Cloudflare Turnstile's authentication enters an infinite loop on WebKitGTK-based browsers when WebGL fingerprinting is blocked. Turnstile uses WebGL renderer data as a signal to distinguish humans from bots, but browsers that generalize or hide that data for privacy reasons are flagged as suspicious, causing a conflict between privacy protection and bot detection.
Haelwenn Monnier, developer of the privacy-focused BadWolf browser, reported that Cloudflare Turnstile's human verification enters an infinite loop on WebKitGTK-based browsers, making multiple websites inaccessible. Turnstile, a CAPTCHA replacement, runs small JavaScript challenges in the browser and collects signals including WebGL renderer information to identify visitors. When BadWolf prevented WebGL fingerprint collection, Turnstile displayed a message that the renderer information was spoofed and treated the privacy measure as suspicious behavior. The issue reflects a broader tension: tools that hide or generalize GPU data to prevent tracking can look like bots to detection systems that rely on that same data.
Synthesized by Yomimono from the 1 cited source below, including Japanese-language reporting where cited, then editorially reviewed before publishing.