On Wednesday, the European Commission unveiled a mobile app(yeni pencere) designed to let people prove their age online without sharing personal data with platforms. EU officials said the app was ready, met the highest privacy standards, and pointed to its open-source code as proof of transparency.
Within hours, however, security researchers began picking apart the open-source code. By Thursday, security consultant Paul Moore had bypassed the app’s protections in under two minutes(yeni pencere).
Others confirmed his findings. The app’s rate-limiting controls were stored in an editable file, biometric authentication could be turned off with a simple configuration change, and sensitive credentials were accessible without secure hardware protection.
The Commission played down the findings, calling the release a demo version. Both Moore and French cryptographer Olivier Blazy pushed back, telling Politico(yeni pencere) they were testing the latest version of the code when they found the flaws.
Later, the Commission said the issue was fixed, but the incident still shows how vulnerable these age verification systems are.
What EU’s age verification app does and what went wrong
EU’s age verification app lets people verify their age using a passport, a national ID, or a trusted provider like a bank. Platforms can then ask the app to check if someone is over a certain age without accessing the underlying personal data, also known as zero-knowledge proof.
The implementation undermined that design. EU’s age verification app stored an encrypted PIN in an editable configuration file on the device, separate from the identity vault that keeps sensitive data. By deleting a few values and restarting the app, an attacker can set a new PIN while reusing credentials from a previous profile.
The rate-limiting controls that prevent repeated guessing were stored as a simple counter in the same file, one that can be reset to zero, erasing any record of failed attempts. Biometric authentication was controlled by a single boolean flag; switching it from true to false skipped the check entirely.
Built to check ages, but not safely
After researchers used the code to expose its flaws, officials recast the app as a demo version.
Several developers noted that sensitive data should have been stored in a secure enclave, hardware-level protection available on modern smartphones that makes these attacks much harder.
But the vulnerabilities expose a problem that goes beyond this particular app. Age verification is not safe by design, because it requires linking a real identity to an online action. That link has to be stored somewhere, even briefly, and wherever it lives, it becomes a target for hackers, governments, and anyone who gains unauthorized access to the underlying data. The more centralized and reusable that link becomes, the larger the target grows.
The EU’s age verification law is meant to be a single, privacy-preserving standard that replaces the legal patchwork taking shape across Member States, but the Commission’s confidence that the app is ready turned out to be premature. More than 400 privacy and security researchers wrote to the Commission in March(yeni pencere) asking for a moratorium on deployment until the science on age-verification technology settles.
