ChatGPT Won't Let You Type Until Cloudflare Reads Your React State
5 hours ago
- #encryption
- #cybersecurity
- #bot-detection
- Every ChatGPT message triggers a Cloudflare Turnstile program in the browser, checking 55 properties across browser, Cloudflare network, and ChatGPT React app layers.
- The program is encrypted but decryptable; an XOR key is embedded in the bytecode, allowing full decryption from HTTP traffic.
- Properties include browser fingerprints (e.g., WebGL, screen, fonts), Cloudflare edge headers (e.g., location), and React internals (e.g., __reactRouterContext).
- This verifies not just a real browser, but a fully booted ChatGPT React application, adding application-layer bot detection.
- Additional challenges include Signal Orchestrator for behavioral biometrics and Proof of Work for compute cost, but fingerprinting is central.
- Encryption hides details from static analysis but isn't cryptographically secure; the key is in the payload, enabling analysis.
- Data from 377 decrypted programs shows consistency in properties and variation in instructions and keys.