English
Sam Crowther
292 posts
A lot of people have been asking what kind of scale or sophistication he actually operates at.
This video should answer all of it.
The setup he showed me is wild - a fully distributed infra stack that can seamlessly bypass @Cloudflare Turnstile, reCAPTCHA, hCAPTCHA….. all of it. No brute force, no guesswork, just pure engineering.
Say what you want, but you can’t underestimate someone who builds systems like this from scratch and runs them at global scale.
Dropping the video here for everyone who wanted a peek behind the curtain.
Ayush Agarwal@ayushagarwal
Here’s the full story. When the attacker reached out, I expected chaos. Instead, I met someone absurdly skilled, weirdly honest, and surprisingly open about why he did it. He’s from Russia. And his “job” is running a full stresser service - hundreds of servers across data centers, custom built browsers with Rust, distributed load generators, all built and managed by him. At one point he even had 479 attacks running in parallel for different customers. He walked me through how he bypassed multiple layers of protection at @dodopayments. He showed me the tooling he built. He explained how he tests hundreds of sites at once. No ransom. No extortion. Just….. “I don’t like weak security and I wanted to push you.” And honestly, he did push us. Hard. We spent 48 hours fixing gaps we didn’t know existed. He pointed out where we were strong and where we weren’t. He even shared suggestions on how to harden the stack further. The wildest part? What started as an attack turned into a conversation about infra, security, and resilience. Internet is a strange place. But sometimes the people trying to break you end up making you stronger.
English
@pxCaptcha This blog is what happens when you let non technical marketers write your technical content.
English
This human is annoyed by the captcha
WWEdeezNuts@are_nfl
@PayPal HOW THE FUCK DO YOU TURN CAPTCHA OFF ON AN ACCOUNT? I DONT FUCKING WANT TO DEAL WITH THIS BULLSHIT
English
Sam Crowther أُعيد تغريده
@rauchg and the team @vercel gets it.
BotID shows what invisible CAPTCHAs should be:
- A few lines of code
- Zero ongoing config
- Maximum protection
No more turning the stiles. No more score management.
Why this matters: kasada.io/invisible-capt…
English
This potential bug report turned into a really cool investigation with a surprising ending (shared with permission).
So, @Plague_FPS was observing that Vercel BotID was detecting his own traffic as a bot. Further investigation shows that this was true for all Chromium browsers on his machine–but Firefox was working.
Hmmm. How could this be?
We went on a Zoom session with them, and eventually figured it out: A malware (or at least ultra-dark-pattern software) had installed a system proxy that was intercepting all network traffic. That proxy was triggering the BotID defenses. Uninstall the malware, and their Chromium browsers were passing again.
Plague@Plague_FPS
Where can I file issues for @vercel's botid package/api. I followed the documentation on the setup, and yet in production, all Server Action requests were being blocked. @rauchg @cramforce I was the one trigger the server actions in a preview build on Vercel, MS Edge browser.
English
Crazy that we managed to take the software that protects the largest companies on earth from bots, and get it into the hands of any developer thanks to @vercel @cramforce @rauchg
Feels good to lift everyone to the same playing field.
@tyronedougherty
English
Current bot detection rankings:
1. Vercel, 2: AvgCloud, 3: Cloudflare
Future bot detection rankings:
1. Cloudflare, 2: AvgCloud, 3: Vercel
Dane Knecht 🦭@dok2001
English
The best CAPTCHA is invisible. Full stop. We must rid the internet of junk
1️⃣ Server
𝚎𝚡𝚙𝚘𝚛𝚝 𝚊𝚜𝚢𝚗𝚌 𝚏𝚞𝚗𝚌𝚝𝚒𝚘𝚗 𝙿𝙾𝚂𝚃(𝚛𝚎𝚚) {
𝚌𝚘𝚗𝚜𝚝 { 𝚒𝚜𝙱𝚘𝚝 } = 𝚊𝚠𝚊𝚒𝚝 𝚌𝚑𝚎𝚌𝚔𝙱𝚘𝚝𝙸𝚍()
𝚒𝚏 (𝚒𝚜𝙱𝚘𝚝) {
𝚛𝚎𝚝𝚞𝚛𝚗 𝚗𝚎𝚠 𝚁𝚎𝚜𝚙𝚘𝚗𝚜𝚎 ("🤖")
}
𝚛𝚎𝚝𝚞𝚛𝚗 𝚗𝚎𝚠 𝚁𝚎𝚜𝚙𝚘𝚗𝚜𝚎("😌")
}
2️⃣ Client
<𝙱𝚘𝚝𝙸𝚍𝙲𝚕𝚒𝚎𝚗𝚝 𝚙𝚛𝚘𝚝𝚎𝚌𝚝={[ "/𝚊𝚙𝚒/𝚜𝚒𝚐𝚗𝚞𝚙" ]} />
That’s it. It works on Vercel and we’ll bring this DX and industry-leading protection no matter where you host
Vercel@vercel
BotID is a new invisible CAPTCHA layer of protection that stops sophisticated bots before they reach your backend. It's built to secure critical routes such as checkouts, logins, and signups, or actions that trigger expensive calls like LLM-powered APIs. vercel.com/blog/introduci…
English
I can't believe it's been 100 days since I joined @vercel to work alongside @cramforce
The energy and drive to build for the web is infectious, and I've loved every single day!
🧵some highlights
English
@zenorocha So it’s pretty sick to be able to work with the Vercel team to bring what we’ve spent many years building and delivering to f50 companies - to anyone using NextJS :) lmk if you have any feedback 👀
English
@zenorocha Many big co’s pushed for no captcha bot detection tooling a number ago because bad UX = less revenue. That plus computer vision models started solving them better than humans ~2018 and beyond - made the captchas useless.
English
As an industry, we accepted it’s normal to slap a 300x65 pixel banner with another company’s logo + links on our websites.
Sign-up and login pages are prime real estate on the web. They are the entry door for all of our users every single day.
We should be able to achieve bot detection without sacrificing user experience.
No compromise.
For those saying “you can just enable invisible mode”, here are the problems we faced:
1) Race conditions with password managers
If your page or form submits before Turnstile has finished processing, the token may be missing.
So, then you may need to delay form submission, which is not ideal for the user.
This is especially annoying if you’re using a password manager which will autofill every field.
2) Adblockers and VPNs
If you’re using an adblocker or VPN, sometimes the widget doesn’t render or execute, and no challenge/token is issued.
The majority of our users use some sort of adblocker. If they don’t have an adblocker extension installed, they might use a modern browser that already comes with it.
3) Mobile UX issues
On mobile networks or low-performance devices, background checks sometimes time out.
The challenge gets rejected or the user needs to repeat form submission.
—
These are things we saw at Resend while serving 500k users.
If Turnslite is working for you, then you can keep using it.
This was not the case for us, and it’s not the type of friction we want users to have.
Maybe BotID will solve this problem. Maybe it won’t. We will see.
The only thing that matters to me is not compromising on user experience.
Resend@resend
We removed Cloudflare's Turnstile for... - Cleaner UI ✨ - Login is 2x as fast! 🏎️
English
@gregoryjohn @vercel 🔥 lmk if you have any questions or feedback!
English
Oof. Getting this BotID captcha integrated today. Thanks @vercel - this is so elegant.
Vercel@vercel
BotID is a new invisible CAPTCHA layer of protection that stops sophisticated bots before they reach your backend. It's built to secure critical routes such as checkouts, logins, and signups, or actions that trigger expensive calls like LLM-powered APIs. vercel.com/blog/introduci…
English
@resend Gotta keep that UX clean and fast. LMK if you guys have any feedback 😎
English
BotID provides the same bot detection, but without the visual clutter.
vercel.com/blog/introduci…
English
Sam Crowther أُعيد تغريده
English
please follow this @googledevs @CloudflareDev – blocking humans is not cool
vercel.com/blog/introduci…
Stephen@0xSMW
why are we filling these out
English
English
as a beginner dev, setting up security felt hard. but @vercel BotID just made it really fucking simple and NO MORE CAPTCHA.
Big thanks for this update! 😭🙌🙌
Vercel@vercel
BotID is a new invisible CAPTCHA layer of protection that stops sophisticated bots before they reach your backend. It's built to secure critical routes such as checkouts, logins, and signups, or actions that trigger expensive calls like LLM-powered APIs. vercel.com/blog/introduci…
English
English
I implemented the new BotID verification by @vercel, powered by @kasada_io, in all my clients' and personal projects.
It only took me 2 hours for 5 projects!
No more visible CAPTCHA for users, it's just awesome.
English
Sam Crowther أُعيد تغريده
BotID is a new invisible CAPTCHA layer of protection that stops sophisticated bots before they reach your backend.
It's built to secure critical routes such as checkouts, logins, and signups, or actions that trigger expensive calls like LLM-powered APIs.
vercel.com/blog/introduci…
English
Scraping airlines is the new sneaker twitter 2017. It's just getting started, the only difference is that the threat actors all have previous knowledge about antibots.
English
Sam Crowther أُعيد تغريده
Ok #sneakertwitter, I'm curious, which anti-bot is the easiest to continuously bypass?
Note, I've excluded Kasada as this is not a exercise to validate anything that we're doing.
English