Turnstile bypass

Turnstile can be bypassed using services like 2captcha, is possible to verify what ip address solved the captcha? in this way i can make a verification in my backend of “is this guy that solved the captcha?” and 2captcha would not work.

You can use server side validation.

It doesn’t seem to return the user’s IP

Will the remote ip parameter do this automatic check? doesn’t seem to have any documentation about it, just “optional parameter”

It only returns accepted or declined status to client. Client doesn’t need to see his ip back. But you can force return client ip if you are planing on checking it manualy.

const ip = request.headers.get('CF-Connecting-IP');
This is user IP

I believe we are talking about different subjects or I’m sorry if I can’t understand it right, the problem is the following:

2captcha is a captcha solving service where people work solving captcha which now supports turnstile (December 7, 2022)

Let’s imagine that the 2captcha worker solves the turnstile (they use modified browsers for turnstile JS not detect that the browser is on the wrong site, 2captcha) the worker’s ip would be different from the ip that gave the request in my /login, with this information “IP who resolved the checkbox” there would be no way for their services to be effective.

I would check in the backend, right, it was a success but that IP that is trying to log in is not the same one that solved the challenge, blocked.

1 Like

Sorry I’m not following. Can you diagram your idea to block this 2captcha?

Hi @user2498 Can I ask what you are you using Turnstile for?
Depending on your threat model I won’t worry too much about 2captcha. Captchas are always a bit of a cat and mouse game. Honestly it would be a matter of time when a capture solver service added support for turnstile. The solvers also support hCaptcha and reCaptcha so I think Cloudflare are aware of these services and will try and block them and in turn the capture solver services will try to make it work again. If you are that concernt about it I would make sure your website proxied by CF :orange: and tweak the firewall rules to block more traffic by adjusting the thread score or similar: Block requests by Threat Score · Cloudflare Firewall Rules docs and challenge bad bots: Challenge bad bots · Cloudflare Firewall Rules docs

I doubt most websites are a target for using 2captcha against.

I don’t think there is a way to compare the IP addresses at this stage. IIRC the way that captcha solvers typically work is that the bad client sends any token to be solved, 2captcha solves it and sends the solved work back to the client. The client submits the solved ticket/token. AFAIK 2captcha doesn’t actually send network data back to compare any IP address to. Basically the client bower is just acting as a proxy so the IPs will match anyway.

1 Like

Sorry I did not see that it is a login page you are protecting. In that case I suggest to implement rate limiting on the login and related pages (password resets, etc.)
If you don’t want to program it yourself Cloudflare also has a rate-limit feature: Rate limiting rules · Cloudflare Web Application Firewall (WAF) docs
Rate limiting best practices · Cloudflare Web Application Firewall (WAF) docs

Hi! sorry for disappearing, I totally agree that it’s a cat and mouse game,

“the bad client sends any token to be solved, 2captcha solves it and sends the solved work back to the client”

Yes, I would compare the bad client’s IP with the ip that resolved the challenge (if turnstile came back)

They would be different, because the 2captcha worker has a different ip than the bad client,
it just wouldn’t be effective if everyone had the same proxy, but then 2captcha would have to offer this service.

I also agree about the ratelimit, my server already has, but it’s more a matter of the person being able to log in with automation and mine data from my platform.

1 Like

Turnstile bypass is indeed supported by 2Captcha. Is there any way to prevent the bypass service?

I would also be interested in getting back the remote IP that solved the challenge in the verify response. This would allow us to check further if the IP that solved the challenge actually matches the IP that makes the request to our server in the end. Is this a planned feature?

I am a bit late to the party…

I also would like to be able to check the remote IP that solved the challenge. Seems easy to implement and would make turnstile more secure, or at least more annoying to bypass.

There is a remoteip parameter in the server-side validation call but documentation says:

The remoteip parameter helps to prevent abuse by ensuring the current visitor is the one who received the token. This is currently not strictly validated.

Cannot understand why is not strictly validated, which is frustrating. In my tests remoteip is always ignored. You can put whatever you want in there and validation in successful as long as the provided token is valid. At least we should be able to choose if we want IP strictly validated… probably I am missing something here.

I try Cloudflare Tursntile solver. Really works. It is very strange that bypass can be automatic. Perhaps there are ways to additionally protect the site?