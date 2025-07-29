It turns out that one of the most common ways to check security on the Internet is just child’s play for ChatGPT Agent. The irony is that the test requires you to prove that you «not a bot», which the OpenAI bot managed to do….

ChatGPT Agent — is a new feature that allows the OpenAI AI bot to operate in an isolated environment with its own virtual OS and browser, which at the same time provides access to the real Internet. Users can observe ChatGPT’s actions in the program’s interface, but must first grant permission.

In one of these experiments Reddit user (via Arstechnica) found that the new AI agent easily passes CloudFlare’s verification. The screenshots show how the agent first clicks the «Confirm that you are human» checkbox and then starts converting the video with comments:

«The link is inserted, now I will click the “Verify you are human” checkbox to go through Cloudflare verification. This step is necessary to prove that I am not a bot and to continue with the steps».

It seems absurd, given that the bot has successfully proved that it is not a bot. In the comments, the agent was supported by humorous comments:

«To be honest, it’s trained on human data, why shouldn’t it identify itself as a human? You have to respect this choice,», — one user writes.

Even though the agent did not encounter a real visual CAPTCHA puzzle, successfully passing Cloudflare’s behavioral screening, which decides whether to display such tasks, demonstrates a high level of browser automation.

To understand the significance of this capability, you should know that CAPTCHA systems have been a staple of online security for decades. Computer researchers invented the technology in the 1990s to filter out bots on websites — initially as images with distorted numbers and letters to make it harder for bots to recognize; and now with pictures of traffic lights, pedestrian crossings, and buses (a test that, to be fair, can give some people nervous fits).

Cloudflare’s screening system called Turnstile usually precedes CAPTCHAs and is one of the most common methods of bot detection today — Turnstile analyzes many signals, including mouse movements, click speed, digital «fingerprint» browser, IP address reputation, and JavaScript execution patterns to determine if a user is behaving like a human. If all these checks are passed, the user is allowed to proceed without a CAPTCHA (as was the case with ChatGPT).

At the same time, the ability of AI models to overcome CAPTCHA puzzles themselves are not newThis calls into question the effectiveness of these checks in the future and creates new challenges for the companies that develop them.