EU’s New Age Verification App Can Be Hacked Within 2 Minutes, Researchers Claim

Home Cyber Security EU’s New Age Verification App Can Be Hacked Within 2 Minutes, Researchers... The European Commission’s newly launched Digital Age Verification App, unveiled on April 14, 2026, to protect minors from harmful online content, has already been compromised, with UK-based security consultant Paul Moore demonstrating a full authentication bypass in under two minutes. During app setup, users are prompted to create a PIN. The app then encrypts this PIN and stores it in a local configuration file called shared_prefs on the user’s device. However, researchers identified two critical architectural flaws: the encrypted PIN is stored locally but is not cryptographically tied to the identity vault that holds actual verification credentials, and the encryption itself serves no meaningful security purpose given its editable nature. HACKING THE #EU #AGEVERIFICATION APP IN UNDER 2 MINUTES. DURING SETUP, THE APP ASKS YOU TO CREATE A PIN. AFTER ENTRY, THE APP *ENCRYPTS* IT AND SAVES IT IN THE SHARED_PREFS DIRECTORY. 1. IT SHOULDN'T BE ENCRYPTED AT ALL – THAT'S A REALLY POOR DESIGN. 2. IT'S NOT… HTTPS://T.CO/Z39QBDCLC2 PIC.TWITTER.COM/FGRVWTWZAZ — Paul Moore – Security Consultant  (@Paul_Reviews) April 16, 2026 An attacker with physical access to the device can exploit this by simply deleting the PinEnc and PinIV values from the shared_prefs file, restarting the app, and entering a new PIN of their choice. The app then presents credentials from the original verified identity profile as valid under the attacker’s new PIN, effectively allowing the theft of age-verification credentials without triggering any alerts. Other Security Issues Beyond the PIN vulnerability, researchers uncovered two further weaknesses stored within the same editable configuration file: Rate limiting bypass: The brute-force protection is implemented as a simple incrementing counter in the same shared_prefs file. An attacker can reset this value to zero, enabling unlimited PIN guessing attempts with no lockout. Biometric authentication bypass: A boolean flag labeled UseBiometricAuth controls whether biometric verification is required. Setting this value to false completely skips the biometric step, removing an entire layer of authentication. Security experts have stressed that this is not a minor edge case; it is a fundamental design failure. The EU Age Verification App was built as a prototype for the broader European Digital Identity Wallet ecosystem, making these vulnerabilities particularly significant for critical national infrastructure. Critics have also noted a separate architectural flaw discovered in March 2026, in which the system cannot verify that passport validation actually occurred on a user’s device. Moore publicly addressed Commission President Ursula von der Leyen, warning that “this product will be the catalyst for an enormous breach at some point it’s just a matter of time”. Six EU member states, including France, Spain, and Denmark, are currently in pilot phases of the app. The European Commission has not yet issued an official patch or public response to the disclosed vulnerabilities as of April 17, 2026. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR ANY.RUN SpankRAT Exploits Windows Explorer Processes for Stealth and Delayed Detection Cyber Security News Microsoft 365 Web Services Hit by Google Chrome 147 Compatibility Issue Cyber Security News Two U.S. Nationals Sentenced for Running Laptop Farm for DPRK Remote Workers Top 10 Top 10 Best User Access Management Tools in 2026 April 4, 2026 Top 10 Best VPN For Chrome in 2026 April 4, 2026 20 Best Application Performance Monitoring Tools in 2026 April 3, 2026 Top 10 Best VPN For Linux In 2026 April 3, 2026 10 Best VPN For Privacy In 2026 April 2, 2026