Security researchers have identified that Cloudflare's Turnstile CAPTCHA system collects WebGL data capable of fingerprinting devices, raising privacy concerns about the supposedly privacy-focused verification service.
Cloudflare's Turnstile, positioned as a privacy-respecting alternative to Google's reCAPTCHA, has been found to leverage WebGL—a graphics API—in ways that enable device fingerprinting, according to security analysis shared on Hacker News.
The discovery highlights a tension in Cloudflare's stated privacy commitments. Turnstile was launched as a bot-detection solution that avoids collecting user behavior data like reCAPTCHA does. However, the use of WebGL data extraction allows identification of specific devices based on GPU capabilities and rendering characteristics, potentially undermining those privacy claims.
WebGL fingerprinting works by querying graphics hardware details that vary between devices. While Cloudflare has not publicly detailed the extent to which it uses this data for fingerprinting versus legitimate bot detection, security researchers flag the capability as problematic from a privacy standpoint.
The finding arrives as Cloudflare CEO Matthew Prince recently stated that bot traffic has already exceeded human traffic on the internet—ahead of his previous 2027 forecast—and predicted the web's future will shift toward a "pay to crawl" model to combat AI agents.
Cloudflare has also announced the acquisition of VoidZero, a company specializing in bot detection and traffic analysis, signaling intensified focus on distinguishing human users from automated systems.
The WebGL fingerprinting issue underscores broader challenges in bot detection: distinguishing legitimate users from malicious bots increasingly requires collecting device-specific data, conflicting with privacy-first design principles. Users relying on Turnstile for its privacy benefits may not realize the extent of device data collection occurring during verification.
The company has not yet publicly responded to the fingerprinting findings.
India's national school exam board acknowledged vulnerabilities in its online grading system after a teenage cybersecurity researcher discovered the weaknesses. The board said it has contained the issues affecting one of the country's most critical school-leaving exams.
A vulnerability in the WP Maps Pro WordPress plugin allows attackers to create administrator accounts without authentication. The exploit targets sites running affected versions of the plugin.
A security researcher has published technical documentation on parallel reconstruction of lawful TLS wiretapping, demonstrating how encrypted traffic can be decrypted in compliance with court orders. The post has generated significant discussion in the security community.
Palo Alto Networks has confirmed that hackers are actively exploiting CVE-2026-0257, an authentication bypass vulnerability in GlobalProtect VPN, to breach corporate networks.