EU Age-Verification App Hacked in Under Two Minutes

The European Union's new age-verification app, designed to let users prove their age online without sharing personal data, was found to have serious security flaws within days of launch. Security researchers say the app can be compromised in under two minutes.

The European Commission built the app as an open-source tool for age checks across platforms. The core idea was that users could confirm eligibility for age-restricted content without handing over sensitive personal details to every platform they visit. That privacy promise now looks hollow.

How the Attack Works

The flaw comes down to how the app handles its PIN system. When a user sets up the app, it asks them to create a PIN, but that PIN is stored locally on the device and is not properly tied to the identity data it is meant to protect. Security consultant Paul Moore showed that an attacker can edit local configuration files to reset the PIN, disable biometric locks, and access stored credentials. The whole process takes less than two minutes and requires minimal technical skill.

Moore specifically flagged that the app encrypts the PIN and saves it in the device's shared preferences directory, a design he called fundamentally wrong. Encryption alone does not protect credentials stored in an accessible local file. Secure systems bind authentication to the identity data itself, so that bypassing the PIN also bypasses access to that data. This app does not do that.

Moore warned the vulnerability could become "the catalyst for an enormous breach," threatening both individual users and the platforms that rely on the app to meet compliance obligations under EU rules.

A Wider Problem With Age-Verification Systems

This is not an isolated failure. A prior breach at a separate age-verification firm exposed identity documents belonging to roughly 70,000 Discord users, showing how damaging these incidents can be. Age-verification systems by nature collect or process sensitive identity data, government IDs, biometrics, or AI-based age estimates, making them high-value targets.

The EU app's failure illustrates a recurring gap: even systems built with privacy as a stated goal can be undermined by weak implementation. Secure credential storage and tamper resistance are not optional extras, they are baseline requirements. Getting the architecture right at the policy level means little if the engineering does not follow through.

The incident landed alongside other notable security events, including data breaches at fitness operator Basic-Fit and Booking.com, and a DDoS attack on the social platform Bluesky. Taken together, they reflect sustained pressure on digital infrastructure across Europe.

For regulators, the immediate question is whether the app will be patched, pulled, or left in use while platforms depend on it for legal compliance. For the broader age-verification push, expanding in the EU, Australia, the UK, and elsewhere, the episode is a reminder that mandating age checks without mandating security standards creates its own set of risks.