July 10, 2026

Bot fight turns passport panic

Show HN: We beat Cloudflare's bot detection (open-source stealth browser)

Open-source bot-buster drops, and commenters instantly fear an internet ID nightmare

TLDR: A developer says he built an open-source tool that gets past website bot blocks so AI assistants stop confidently reading fake warning pages as real information. But the comment drama zeroed in on a bigger fear: tools like this could push the internet toward harsher lockouts and even ID checks.

A hacker proudly rolled out an open-source browser tool that slips past website bot checks, saying the real problem wasn’t data-hungry artificial intelligence companies scraping the web, but AI assistants confidently reading fake block pages and making up answers. In plain English: instead of seeing the real website, these tools often see a “Just a moment” or “enable cookies” wall, then cheerfully pretend that wall was the content. The creator says his tool fixes that on several big sites, turning useless blocked pages into real job listings, home listings, and shopping results.

But in the comments, the mood swerved from impressed to deeply suspicious fast. The loudest reaction wasn’t “wow, clever,” it was basically, are we speedrunning ourselves into showing papers just to browse the internet? One commenter delivered the thread’s cold-shower moment by warning this kind of cat-and-mouse battle is “pushing for a future of national IDs to go online,” instantly reframing the project from scrappy underdog hack to possible fuel for a darker, more locked-down web. That’s the real drama here: one side sees a fix for broken AI browsing, the other sees another brick in the wall of internet surveillance.

And yes, there’s a darkly funny angle too. People can’t get over the image of a super-confident AI solemnly summarizing Cloudflare’s waiting room as if it were actual facts. The accidental meme of the day? Your “smart” assistant reading a digital bouncer rope and calling it research.

Key Points

  • The article says AI agents can silently produce incorrect answers when they summarize anti-bot block pages instead of real webpage content.
  • Standard request methods such as fetch(), httpx.get(), and requests.get() may return a 403 or even 200 response with HTML block pages, making failures hard to detect programmatically.
  • In a July 10 test cited by the author, twelve popular websites including Crunchbase, Product Hunt, Upwork, Fiverr, StockX, DoorDash, Coinbase, and Udemy returned hard 403 responses.
  • The post benchmarks eight anti-bot targets and reports that naive requests retrieved real content 0 out of 8 times, while the open-source Fortress browser succeeded on 5 out of 8.
  • The article uses Indeed and Zillow examples to show that Fortress reportedly returns real structured content where naive requests return challenge or denial pages.

Hottest takes

"future of national IDs to go online" — threatofrain
"I don't commend this at all" — threatofrain
"confidently wrong" — article author
Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.