EUs New Age Verification App Can Be Hacked Within 2 Minutes, Researchers Claim

The European Commission’s newly launched Digital Age Verification App, unveiled on April 14, 2026, to protect minors from harmful online content, has already been compromised, with UK-based security consultant Paul Moore demonstrating a full authentication bypass in under two minutes.

During app setup, users are prompted to create a PIN. The app then encrypts this PIN and stores it in a local configuration file called shared_prefs on the user’s device.

However, researchers identified two critical architectural flaws: the encrypted PIN is stored locally but is not cryptographically tied to the identity vault that holds actual verification credentials, and the encryption itself serves no meaningful security purpose given its editable nature.

An attacker with physical access to the device can exploit this by simply deleting the PinEnc and PinIV values from the shared_prefs file, restarting the app, and entering a new PIN of their choice.

The app then presents credentials from the original verified identity profile as valid under the attacker’s new PIN, effectively allowing the theft of age-verification credentials without triggering any alerts.

Other Security Issues

Beyond the PIN vulnerability, researchers uncovered two further weaknesses stored within the same editable configuration file:

Rate limiting bypass: The brute-force protection is implemented as a simple incrementing counter in the same shared_prefs file. An attacker can reset this value to zero, enabling unlimited PIN guessing attempts with no lockout.
Biometric authentication bypass: A boolean flag labeled UseBiometricAuth controls whether biometric verification is required. Setting this value to false completely skips the biometric step, removing an entire layer of authentication.

Security experts have stressed that this is not a minor edge case; it is a fundamental design failure. The EU Age Verification App was built as a prototype for the broader European Digital Identity Wallet ecosystem, making these vulnerabilities particularly significant for critical national infrastructure.

Critics have also noted a separate architectural flaw discovered in March 2026, in which the system cannot verify that passport validation actually occurred on a user’s device.

Moore publicly addressed Commission President Ursula von der Leyen, warning that “this product will be the catalyst for an enormous breach at some point it’s just a matter of time”. Six EU member states, including France, Spain, and Denmark, are currently in pilot phases of the app.

The European Commission has not yet issued an official patch or public response to the disclosed vulnerabilities as of April 17, 2026.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

Original article can be found here

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.