The European Union’s new age-verification app, promoted as a privacy-preserving tool to protect children online, has been found critically vulnerable. Security researchers report it can be hacked in under two minutes. This flaw, identified soon after launch, has increased scrutiny of the EU’s broader approach to online age verification and digital identity systems.
Critical Flaws Undermine “Safe by Design” Claims: The European Commission introduced the app as an open-source tool to verify user age across platforms, enabling users to prove eligibility without sharing personal data.
Cybersecurity experts quickly identified significant design flaws. Storing user PINs locally allows attackers to bypass authentication controls with minimal effort.
Security consultant Paul Moore demonstrated that editing local configuration files allows attackers to reset PIN protections, disable biometric locks, and access stored credentials.
Moore warned that these vulnerabilities could make the system “the catalyst for an enormous breach,” posing risks to both individual users and platforms relying on the app for compliance.
Broader Pattern of Weaknesses in Age-Verification Tech: The incident underscores a wider challenge – building age-verification systems that are both effective and privacy-preserving.
Globally, these systems increasingly rely on government IDs, biometrics, or AI-based estimation, each with trade-offs among accuracy, accessibility, and data protection.
Previously, a hack in an age verification firm exposed identity documents of 70,000 Discord users, which shows how sensitive this data is when compromised.
Experts warn that even “privacy-first” architectures can fail if basic security practices, such as secure credential storage and tamper resistance, are not rigorously implemented.
A Surge in Cybersecurity Threats Across Platforms: The vulnerability discovered in the EU app surfaced amid a wave of significant cybersecurity incidents that underscored growing digital risks. Major data breaches at organisations such as a European fitness operator, Basic-Fit and Booking.com exposed sensitive customer information, raising concerns about data protection practices. At the same time, the social platform Bluesky experienced a disruptive DDoS attack, though it did not result in any data loss.
As governments worldwide expand age-check mandates, a key challenge persists: verifying identity online without increasing risks of surveillance, exclusion, or large-scale data breaches.
Also Read:
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
