A newly unveiled European age verification application, championed by European Commission President Ursula von der Leyen, has reportedly been bypassed by a security researcher in under two minutes, just hours after its public announcement. The vulnerability, detailed by security consultant Paul Moore, casts a shadow over the app's security claims and the broader European Digital Identity (EUDI) Wallet initiative.
The European Commission had presented the app as "technically ready" and meeting "the highest privacy standards," designed to allow users to verify their age online without sharing extensive personal data. However, Moore, known on social media as @Paul_Reviews, published a step-by-step method demonstrating how the app's protections could be circumvented from within the application itself. "This app is a joke," the Visegrád 24 account stated in a tweet, quoting Moore's findings.
Moore's analysis revealed that the app stores an encrypted PIN locally, but the encryption is not robustly tied to the user's identity vault. This design flaw allows an attacker to delete specific configuration values, restart the app, and set a new PIN while retaining access to previously verified credentials. Furthermore, rate limiting and biometric authentication settings were found to be easily editable within the app's configuration files, making brute-force attempts or bypasses straightforward.
The incident has sparked criticism from cybersecurity experts, who questioned the app's fundamental design. Pavel Durov, CEO of Telegram, suggested the app was "hackable by design" due to its reliance on device-side trust, warning it could evolve into a "surveillance tool sold as privacy-respecting." The European Commission, while acknowledging the reports, stated that the alleged vulnerability was found in a "demo version" and has since been fixed, though critics like Moore and French white-hat hacker Baptiste Robert dispute this, claiming their tests were on the latest available code.
The age verification app is part of a larger EU strategy to enhance online child safety and is intended to integrate with the EUDI Wallet. The European Commission aims for up to 80% of Europeans to have access to a digital ID solution by 2030, a goal that now faces increased scrutiny regarding the security and privacy implications of such widespread digital identity systems. This rapid security breach highlights the challenges in balancing user convenience, privacy, and robust security in digital identity solutions.
