The European Union’s new age-verification app, promoted as a privacy-preserving tool to protect children online, has been found critically vulnerable. Security researchers report it can be hacked in under two minutes. This flaw, identified soon after launch, has increased scrutiny of the EU’s broader approach to online age verification and digital identity systems.
Critical Flaws Undermine “Safe by Design” Claims: The European Commission introduced the app as an open-source tool to verify user age across platforms, enabling users to prove eligibility without sharing personal data.
Cybersecurity experts quickly identified significant design flaws. Storing user PINs locally allows attackers to bypass authentication controls with minimal effort.
Security consultant Paul Moore demonstrated that editing local configuration files allows attackers to reset PIN protections, disable biometric locks, and access stored credentials.
Moore warned that these vulnerabilities could make the system “the catalyst for an enormous breach,” posing risks to both individual users and platforms relying on the app for compliance.
Broader Pattern of Weaknesses in Age-Verification Tech: The incident underscores a wider challenge – building age-verification systems that are both effective and privacy-preserving.
Globally, these systems increasingly rely on government IDs, biometrics, or AI-based estimation, each with trade-offs among accuracy, accessibility, and data protection.
Previously, a hack in an age verification firm exposed identity documents of 70,000 Discord users, which shows how sensitive this data is when compromised.
Experts warn that even “privacy-first” architectures can fail if basic security practices, such as secure credential storage and tamper resistance, are not rigorously implemented.
A Surge in Cybersecurity Threats Across Platforms: The vulnerability discovered in the EU app surfaced amid a wave of significant cybersecurity incidents that underscored growing digital risks. Major data breaches at organisations such as a European fitness operator, Basic-Fit and Booking.com exposed sensitive customer information, raising concerns about data protection practices. At the same time, the social platform Bluesky experienced a disruptive DDoS attack, though it did not result in any data loss.
As governments worldwide expand age-check mandates, a key challenge persists: verifying identity online without increasing risks of surveillance, exclusion, or large-scale data breaches.
Also Read:
