The European Union’s age verification app arrived on Wednesday with a promise that it was “technically ready” for deployment across the bloc. Within hours, security researchers had torn it apart.
Commission President Ursula von der Leyen presented the tool in Brussels as the answer to a continent-wide push to keep minors off social media and adult websites. “It is fully open source. Everyone can check the code,” von der Leyen said. Researchers took her at her word. What they found has turned the launch into exactly the kind of security embarrassment that should make anyone think twice about digital identity systems.
Security consultant Paul Moore published a widely shared post on X documenting what he discovered after examining the GitHub repository. The app stores sensitive data on users’ phones and leaves it unprotected. Moore claimed he hacked it in under two minutes.
Brussels is standing by its product. “Yes, it is ready. Maybe we can add, ‘and it can always be improved’,” Chief Spokesperson Paula Pinho told reporters Friday. Digital spokesperson Thomas Regnier added a revealing clarification. “Now, when we say it’s a final version, it’s … still a demo version.” He said the final product is not yet available for citizens and “the code will be constantly updated and improved … I cannot today exclude or prejudge if further updates will be required or not.”
Moore led the technical takedown on X, describing the app’s architecture as broken at the foundation. The encrypted PIN the app stores locally, according to Moore, has no cryptographic link to the identity vault holding the actual verification data.
That gap enables a bypass that requires no exploit code or specialized tools. Delete a few specific values from the app’s configuration files, restart the app, set a new PIN, and the software happily hands over access to credentials that belong to the previous profile. Identity data gets reused under whatever access control the attacker defines.
The weaknesses deepen from there. Rate limiting, the standard defense against someone trying PIN after PIN until one works, lives in the same editable configuration file as a plain counter. Set it to zero and the app forgets every failed attempt.
Hellbound and Down 