Cloudflare Turnstile does not allow up to 90% of legitimate traffic

What is the name of the domain?

boticord.top

What is the issue you’re encountering

We use Cloudflare Turnstile in non-interactive mode to protect ratings from bot fraud, but a few hours ago (about 11:00 08.07.2024 GMT), about 90% of real users can no longer pass the captcha. You can see the massive drop in solve rate in the attached screenshot. These are not bots, our staff checked personally and also cannot pass the captcha. This problem applies to all browsers and all operating systems. The turnstile just freezes and doesn’t give any response or error. If you connect to the Internet via WARP, the problem disappears, but we are not 100% sure about it.

What steps have you taken to resolve the issue?

We looked at what Turnstile was trying to do and saw that in the case of a captcha “error”, after the request that issues 401, there is only 1 request, and nothing else, no errors in the console, no result at all. In the case when the captcha is passed, after the 401 request, 2 more requests occur, after which our code is executed.

What are the steps to reproduce the issue?

We believe that to reproduce, you need to turn Turnstile into non-interactive mode, connect it via https://challenges.cloudflare.com/turnstile/v0/api.js to the site, and then call via turnstile.render(‘#element-id’) with options: ‘retry’: ‘never’, ‘refresh-expired’: ‘never’.

Screenshot of the error

I’ve started to get a similar problem in the last few hours. But weirdly if I open Chrome Incognito, or a separate browser like Firefox, I can pass Turnstile. I’m not sure what percentage of users were having the problem but it was significant (i.e. >10% for sure). Not sure what’s going on here. For now I’ve had to temporarily disable Turnstile on my site.

Edit: One possibility is that a code change/bug on my site caused an increase in the number of Turnstile verification requests (by a factor of about 5x, I think), which then caused a “heightened security” mode to be triggered due to suspected abuse, or something like that. Though I’m still not entirely whether the increased verification requests were simply caused by failing verifications RE something on Cloudflare’s end, or by code changes on my end. I’m less certain that my particular issue here is a Cloudflare problem vs a “me” problem now though.

Not sure if the same issue- but all 40 sites that I have using turnstile are now failing, started within the last few hours.