“The EU’s new age verification app was introduced with claims of protecting user privacy, but it quickly came under scrutiny due to serious security vulnerabilities. The system was bypassed within minutes.”

As you know, internet controls are being tightened worldwide. While restrictions are being introduced for users under 18, identity verification applications are also being implemented to determine users’ ages. This week, the European Union joined this trend. The European Commission launched a new application that allows users to prove their age without sharing personal data. However, the system made headlines for its security flaws less than 48 hours after its release.

Launched on April 14, the Digital Age Verification App enables users to verify their age using a passport or ID card. European Commission President Ursula von der Leyen described the app as a “user-friendly solution with high privacy standards.” However, findings regarding the system’s security have cast doubt on these claims. UK-based security consultant Paul Moore managed to completely bypass the app’s authentication mechanism in under two minutes.

The System Contains Multiple Vulnerabilities That Can Be Exploited by Hackers

In the EU’s age verification application, the PIN code provided by the user is encrypted and stored in a local file on the device called “shared_prefs.” Paul Moore identified two major architectural flaws in this design: the encrypted PIN is not cryptographically bound to the identity verification data, and the encryption method used provides virtually no real security since the file can be easily modified. This vulnerability allows an attacker with physical access to reset the application by deleting the PinEnc and PinIV values in the file and then log in using a newly defined PIN. More critically, once the new PIN is accepted, the application continues to treat the previously verified identity data as valid. This means that age verification data can be accessed without triggering any alerts.

The issues do not end there. Other critical security mechanisms stored in the same configuration file can also be easily manipulated. For example, the rate-limiting mechanism designed to prevent brute-force attacks is merely a simple counter, which can be reset to allow unlimited attempts. Similarly, the parameter that determines whether biometric authentication is enabled can be modified to completely disable this security layer. Additionally, there are vulnerabilities that allow bypassing the system even without physical access. Experts emphasize that this is not just a minor software bug, but a fundamental design flaw in the system.

Following the disclosure of Paul Moore’s findings, the European Commission took action and released an updated version of the application after implementing some changes. However, these early issues highlight the potential risks such systems may pose, especially considering that similar mechanisms are planned to be used in the upcoming European Digital Identity framework.

Some Measures to Prevent Such Attacks;

• Authentication processes must be performed strictly on the server side; client-side trust should be avoided

• Multi-Factor Authentication (MFA) should be mandatory

• Suspicious activities must be logged and integrated with SIEM systems

• Regular penetration testing and security assessments should be conducted

• Local storage (e.g., shared_prefs) must be encrypted and protected with integrity controls

For more information, you can contact our experts at info@zerosecond.ae