How I built a click farm to “bypass” Cloudflare’s CAPTCHA killer with some cheap USB security keys, an Arduino, and a bit of python.

Any opinions stated here are my own, not necessarily those of any past, present, or future employer.

6 powered HyperFIDO keys connected to a USB hub and attached to a Arduino
6 powered HyperFIDO keys connected to a USB hub and attached to a Arduino

What is Attestation of Personhood?

Cloudflare recently published a blog post about a potential replacement for CAPTCHAs by utilizing signatures from hardware security keys and WebAuthn they are calling “Attestation of Personhood”. The post triggered a good bit of discussion online, particularly around the threat of automation mentioned near the end of the post:


Here’s the slides and exploits from the DEF CON 24 talk in Las Vegas, NV. Video to follow in a few weeks.

Update on the slides, these issues have all been resolved, the slides were not updated before upload to the DEF CON server


I decided to relaunch my blog with my recent domain name change. It’s unlikely I will migrate the old content, but look forward to my incoherent ramblings about security bugs and the state of the industry in the future.

Luke Young

I find bugs and exploit them. Sometimes for money, mainly for T-Shirts. https://www.linkedin.com/in/bored-engineer/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store