EU age verification app falls in two minutes
The European Commission unveiled an age-checking app intended to let platforms verify adult users without exposing extra personal data. Security researchers then found that the prototype’s local storage and authentication design could be tampered with on-device, allowing PIN and biometric protections to be bypassed and raising doubts about whether the system is ready for wider deployment.
Hot take: this is the kind of launch that sounds privacy-first in a press release but becomes a security liability the moment anyone tests the threat model. The concept is reasonable; the implementation appears to have trusted the device too much, which is exactly where age-verification systems tend to fail.
- –The core problem is not the policy goal, but the app’s local trust assumptions and editable state.
- –A two-minute bypass is a credibility hit for a system positioned as a reference implementation.
- –If this code is meant for broader EU rollout, the security bar needs to be much higher before public deployment.
- –The incident reinforces a recurring pattern: age-verification systems are easy to promise and hard to secure without creating new privacy risks.
DISCOVERED
2h ago
2026-04-20
PUBLISHED
5h ago
2026-04-20
RELEVANCE
AUTHOR
axbyte