EU Age Verification Hacked in 2 Minutes: What Happened
8 hours ago
- #Cybersecurity
- #EU Digital Identity
- #Age Verification
- The EU age verification app, announced on April 15, 2026, was compromised within hours by a security researcher, Paul Moore, exposing critical vulnerabilities.
- Eight vulnerabilities were confirmed, including a fake encryption method using a Fisher-Yates shuffle, a PIN that didn't protect data, and a private key that could sign without user authentication.
- An emergency patch was released 24 hours later, fixing some issues like fake encryption and adding certificate pinning, but key flaws remained, such as the design trade-off between privacy and non-transferability.
- The app's design allows zero-knowledge proof of age without revealing personal data, but this creates a structural flaw where credentials can be easily replicated or bypassed, as demonstrated by a Chrome extension.
- Lessons include that open source is a promise, not a guarantee; UX often compromises security; backend systems are critical; and fast response times are essential in cybersecurity.