An attacker successfully bypassed Turnstile validation and accessed a restricted part of my website. This raises concerns about a potential vulnerability or misconfiguration in Turnstile.
Turnstile is just a fancy CAPTCHA. It’s not to block restricted areas, it’s just to make sure the visitor is not a bot.
What is it about your Turnstile set up that leads you to believe it’s supposed to block unauthorized access to a part of your website?
I believe the problem is in Captcha being solved automatically by services like
(just quick googling).
Me too, am not content with the fact it’s not protected against things like this.
There is a fishing clone of one of my web sites, where people are being scammed.
I thought I’d protect my users by adding this widget, hence prevent their proxy tunnels from working.
After a several days I see a new clone that successfully scams people by immitating my web-site (less CF-captcha) and successfully logs into real web-site on behalf of the scammed users.
Is there anything I can do to prevent this?
I mean, of course there are login / password things to protect restricted areas, but there is also CF Turnstile widget for protecting against robotized logins, which is failing its role.