{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreih2dfhfgpswxqavkzsp4rzvgkvuojrqayc5k3amuf2jnekef32qwi",
    "uri": "at://did:plc:haakkg7y3xdghcdmprxeexso/app.bsky.feed.post/3mjmktct6mis2"
  },
  "path": "/t/new-eu-age-verification-has-been-hacked-in-under-2-minutes/37185#post_1",
  "publishedAt": "2026-04-16T13:37:08.000Z",
  "site": "https://discuss.privacyguides.net",
  "tags": [
    "https://x.com/Paul_Reviews/status/2044723123287666921",
    "@vonderleyen"
  ],
  "textContent": "Found this interesting tweet at X:\n\n> Hacking the #EU #AgeVerification app in under 2 minutes.\n>\n> During setup, the app asks you to create a PIN. After entry, the app _encrypts_ it and saves it in the shared_prefs directory.\n>\n>   1. It shouldn’t be encrypted at all - that’s a really poor design.\n>   2. It’s not cryptographically tied to the vault which contains the identity data.\n>\n\n>\n> So, an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file and restart the app.\n>\n> After choosing a different PIN, the app presents credentials created under the old profile and let’s the attacker present them as valid.\n>\n> Other issues:\n>\n>   1. Rate limiting is an incrementing number in the same config file. Just reset it to 0 and keep trying.\n>   2. “UseBiometricAuth” is a boolean, also in the same file. Set it to false and it just skips that st@vonderleyenp.\n>\n\n>\n> Seriously @vonderleyen\n>\n>   * this product will be the catalyst for an enormous breach at some point. It’s just a matter of time.\n>\n\n\nIn the tweet the guy provided a video.\n\nsource: https://x.com/Paul_Reviews/status/2044723123287666921",
  "title": "New EU age verification has been hacked in under 2 minutes"
}