How to circumvent Cloudflare's [email protected] thing, WITHOUT enabling Javascript

Submitted by sudo in Privacy (edited )

Scroll to the very bottom of this article, and you'll see this:

For more information and ways to help fund the WWP delegation, contact [email protected]

If you click on "[email protected]", you'll be taken to a page that says:

The website from which you got to this page is protected by Cloudflare. Email addresses on that page have been hidden in order to keep them from being accessed by malicious bots. You must enable Javascript in your browser in order to decode the e-mail address.

Protecting email addresses from email-harvesting web crawlers is good, but the bad part is that it also shuts out people who disable javascript for privacy reasons. If you really need that email address, you would have to enable javascript, and expose yourself to browser fingerprinting. Even if you trust the website you're on, they may include javascript libraries from other websites (like Google), which are obfuscated, so you can't be sure that they didn't include any fingerprinting code.

This isn't very good, so I decided to take a look at the javascript source code, to see if I could figure out what exactly it's doing to hide the email address, and if I could translate the code to C++. If you right click -> Inspect Element on the [email protected] text, you'll see this:

<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="dceeecedeb9fb4b99eaeb5bbbdb8b99cbbb1bdb5b0f2bfb3b1f2">[email&nbsp;protected]</a>

The "data-cfemail" field is the important part here. This is a string of hexadecimal digits. Right after it is a blob of javascript. Sifting through it, I found this bit:


In case you can't make sense of that, that says that in order to decrypt the hexadecimal string, start at the second hexadecimal byte, and XOR each one by the first hexadecimal byte in the string (in this case, 0xdc). That's a very simple function, so I re-created it in C++. Here's the source code, in case you want to use it:

#include <iostream>
#include <string>

std::string decrypt(std::string obfuscatedEmail);

int main()
    std::cout << "Enter the obfuscated email address: ";
    std::string obfuscatedEmail;
    std::cin >> obfuscatedEmail;
    std::cout << decrypt(obfuscatedEmail) << std::endl;

std::string decrypt(std::string obfuscatedEmail)
    std::string output;
    char xorKey = std::stoi( obfuscatedEmail.substr(0, 2), nullptr, 16);
    for( unsigned i = 2; i < obfuscatedEmail.length(); i += 2)
        output += std::stoi( obfuscatedEmail.substr(i, 2), nullptr, 16) ^ xorKey;

    return output;

Save it as fuckCloudflare.cpp. Make sure you have g++ installed, then compile it using g++ -std=c++0x -o fuckCloudflare fuckCloudflare.cpp. Run the program, and paste in dceeecedeb9fb4b99eaeb5bbbdb8b99cbbb1bdb5b0f2bfb3b1f2. See what you get (but don't post the actual email here; Workers World enabled the email protection to protect against spambots, so posting it publicly would defeat the purpose of that).

Congratulations! You can now bypass Cloudflare's email protection without enabling javascript. Just inspect the [email protected] element whenever you come across it, copy the hexadecimal string, then paste it into this program.

Note: I've only tested this on workers.org, because that's the only site that I know of that uses this email protection. Other websites might use a different algorithm, so if you know of a website where this doesn't work, let me know, and I'll try to reverse-engineer their javascript.


You must log in or register to comment.