Brussels' New Age Verification App: Hacked in Two Minutes

The European Union’s age verification app arrived on Wednesday with a promise that it was “technically ready” for deployment across the bloc. Within hours, security researchers had torn it apart.

Commission President Ursula von der Leyen presented the tool in Brussels as the answer to a continent-wide push to keep minors off social media and adult websites. “It is fully open source. Everyone can check the code,” von der Leyen said. Researchers took her at her word. What they found has turned the launch into exactly the kind of security embarrassment that should make anyone think twice about digital identity systems.

Security consultant Paul Moore published a widely shared post on X documenting what he discovered after examining the GitHub repository. The app stores sensitive data on users’ phones and leaves it unprotected. Moore claimed he hacked it in under two minutes.

Brussels is standing by its product. “Yes, it is ready. Maybe we can add, ‘and it can always be improved’,” Chief Spokesperson Paula Pinho told reporters Friday. Digital spokesperson Thomas Regnier added a revealing clarification. “Now, when we say it’s a final version, it’s … still a demo version.” He said the final product is not yet available for citizens and “the code will be constantly updated and improved … I cannot today exclude or prejudge if further updates will be required or not.”

Moore led the technical takedown on X, describing the app’s architecture as broken at the foundation. The encrypted PIN the app stores locally, according to Moore, has no cryptographic link to the identity vault holding the actual verification data.

That gap enables a bypass that requires no exploit code or specialized tools. Delete a few specific values from the app’s configuration files, restart the app, set a new PIN, and the software happily hands over access to credentials that belong to the previous profile. Identity data gets reused under whatever access control the attacker defines.

The weaknesses deepen from there. Rate limiting, the standard defense against someone trying PIN after PIN until one works, lives in the same editable configuration file as a plain counter. Set it to zero and the app forgets every failed attempt.

The app’s failures extend past its bypass-friendly PIN system to something arguably more alarming for anyone who uploads a government ID. Identity documents processed through the app are not stored in encrypted form on the device, meaning the photos of passports, national IDs, and other verification images sit in accessible storage where any attacker with file access can pull them directly. Encryption at rest is standard practice for applications handling sensitive personal data. Banking apps do it. Password managers do it. Messaging apps do it for messages far less sensitive than a scanned passport. The EU’s age verification app, built specifically to handle government identity documents at scale, apparently does not.

Biometric authentication is governed by a single true-or-false flag sitting in user-accessible storage. Switch it to false and the app skips fingerprint and face checks entirely. None of this requires breaking encryption or defeating hardware security. It requires a basic text editor.

Moore did not mince words about where this leads. “Seriously, Von der Leyen – this product will be the catalyst for an enormous breach at some point. It’s just a matter of time,” he wrote.

Developers responding to the teardown pointed out that modern smartphones ship with hardware specifically designed to prevent exactly this kind of tampering. “Why did they not use the secure enclave?” one asked, referring to the isolated cryptographic processors Apple and Android devices use to protect sensitive authentication data from the rest of the operating system. The EU app stores its security controls in plain configuration files that any user with file access can modify.

Other responses questioned the app’s basic premises. Why should age verification expire? Why cap the number of times someone can verify? “Why does proof of age have an expiration date? Once I’m over 18, I will always be over 18. I’m not turning any younger!” one developer wrote. The questions point to a system designed not just to confirm age but to track verification events over time, building a log of when and where citizens proved themselves to online services.

Telegram CEO Pavel Durov jumped in with a sharper reading of the situation. Writing on his Telegram channel, Durov suggested the app’s vulnerabilities may be the feature rather than the bug.

“Their age verification app was hackable by design — it trusted the device,” he wrote, calling trust in the device “instant game over” from any serious security standpoint.

Durov sketched out what he sees as the likely trajectory. “Present a ‘privacy-respecting’ but hackable app… get hacked… remove privacy to ‘fix’ the app,” he wrote, describing the eventual outcome as “a surveillance tool sold as privacy-respecting.” The Telegram founder argued that this week’s breach revelations hand regulators exactly the justification they need for the next round of expansion. “Today’s ‘surprising hack’ just handed this excuse to them,” he wrote.

Durov has been consistent on this point. He previously described Spain’s plans for mandatory social media age verification as a “dangerous new regulation and a doorway to public surveillance and mass data collection,” and sent a direct message to every Telegram user in Spain attacking Prime Minister Pedro Sánchez’s proposed under-16 social media ban.

The Spanish government responded by accusing Durov of spreading lies and undermining democratic institutions.

Every one of these systems builds the same thing. A centralized or federated database of identity information tied to real people, accessed constantly, updated constantly, and breached eventually.