EU age verification app: "Worry-free package" with security vulnerabilities

It was intended as a technological milestone for youth protection: an EU app that verifies age without sacrificing privacy. However, just hours after its presentation by Commission President Ursula von der Leyen, the project came under fire. Security expert Paul Moore demonstrated on X how he “cracked” the system in less than two minutes.

His analysis reveals that sensitive data remains unprotected on the device. PIN codes are insufficiently secured, rate limits can be circumvented by resetting simple configuration files, and biometric authentication can be deactivated with a single click. Moore warns: “This product will be the catalyst for a massive data leak.”

French hacker Baptiste Robert confirmed Moore's findings. It would also be possible to simply bypass the PIN code or Touch ID. Cryptologist Olivier Blazy sees a practical problem: “Let's say I download the app and prove I'm over 18. Then my nephew can take my phone, unlock the app, and use it to vouch for his own age.”

The Commission defends its tool. A spokesperson only admitted that things could still be improved. Brussels also stated that the hackers had tested an outdated demo version, which the hackers denied. Later, it was explained that the “final version” available online was still a demo. The final product for citizens will be offered later, and the code will be continuously updated.

Open Source as a corrective

The fact that these vulnerabilities were found so quickly is also due to the app being open source. Blazy praises this approach. However, he criticizes that the source code does not yet meet the expected security standards. A rushed launch could undermine trust in future projects such as the digital identity EUDI.

Furthermore, the anonymity promised by the Commission President seems questionable. Experts like Anja Lehmann from the Hasso Plattner Institute disagree. Since the app relies on pseudonyms, website operators could link user activities over longer periods. A promotional video causes irritation: it shows a biometric comparison between a facial scan and an ID document – a procedure that von der Leyen had always rejected for platform operators. Judith Simon from the University of Hamburg warns that non-linkability is the prerequisite for real privacy.

Many experts wonder why the EU is building a parallel infrastructure to the already planned EUDI. Lehmann considers a separate app to be “of little use” as it deviates from established standards in important security criteria. Thomas Lohninger from the NGO Epicenter.works urges the Commission to rethink its initiative and focus on the overdue enforcement of existing online laws.

Finally, the problem of effectiveness remains. Tibor Jager from the University of Wuppertal describes the age verification as “trivial to circumvent.” Using VPN services, it is possible to simulate a location outside the EU where the rules do not apply. The researcher advocates for “digital traffic education” instead of technical barriers. The Commission, however, is sticking to the schedule. Eight heads of state fundamentally support the initiative to restrict social media for minors. Since the app is not yet in regular use, there is time for corrections. The path to the “gold standard for privacy” is still long.

(nen)