‘No more excuses’: Von der Leyen says EU age checking app is ready

https://cybernews.com/security/eu-age-verification-app-hack/

According to Moore, the app stores an encrypted PIN locally, but crucially, the encryption is not tied to the user’s identity vault, where sensitive verification data is kept.

That opens the door to a surprisingly simple bypass. By deleting specific values tied to the PIN from the app’s configuration files and restarting it, an attacker can set a new PIN while still retaining access to credentials created under the previous profile.

In effect, the app accepts reused identity data under a newly defined access control.

Moore also pointed to additional weaknesses that make brute-force or bypass attempts even easier.

Rate limiting, typically used to prevent repeated guessing of PINs, is stored as a simple counter in the same editable configuration file. Reset it to zero, and the system forgets how many attempts have already been made.

Biometric authentication, meanwhile, is controlled by a single boolean flag. Flip it from “true” to “false,” and the app simply skips biometric checks altogether.

POLITICO – 17 Apr 26

Brussels launched an age checking app. Hackers say it takes 2 minutes to...

Cyber experts say they have found holes in Brussels’ age verification app, despite claims by the EU executive that it is “technically ready.”

Within hours of the EU’s app release, security consultant Paul Moore found it would store sensitive data on a user’s phone and leave it unprotected, he wrote in a widely shared post on X. Moore claimed to have hacked the app in under 2 minutes.

Baptiste Robert, a prominent French white hat hacker, confirmed many of the issues and told POLITICO it was possible to bypass the app’s biometric authentication features, meaning someone would be able to forgo entering a PIN code or using Touch ID to access the app.

Olivier Blazy, a cryptographic researcher who is part of a French task force on digital identity, said: “Let’s say I downloaded the app, proved that I am over 18, then my nephew can take my phone, unlock my app and use it to prove he is over 18.”

europeanconservative.com – 17 Apr 26

EU Forced To Update New Age-Check App After Security Flaws

Concerns over hacking risks and easy workarounds emerge just days after the system was declared “technically ready.”