EU Age Verification App Hacked in 2 Minutes, EU’s Within

The European Commission’s new Digital Age Verification App, launched on April 14, 2026, has already proven vulnerable. Designed to protect minors from harmful online content, the app saw UK-based security consultant Paul Moore achieve a full authentication bypass in under two minutes.

During app setup, users are prompted to create a PIN. The app then encrypts this PIN and stores it in a local configuration file called shared_prefs on the user’s device.

However, researchers identified two critical architectural flaws: the encrypted PIN is stored locally but is not cryptographically tied to the identity vault that holds actual verification credentials, and the encryption itself serves no meaningful security purpose given its editable nature.

An attacker with physical access to the device can exploit this by simply deleting the PinEnc and PinIV values from the shared_prefs file, restarting the app, and entering a new PIN of their choice.

The app then presents credentials from the original verified identity profile as valid under the attacker’s new PIN, effectively allowing the theft of age-verification credentials without triggering any alerts.

Other Security Issues

Beyond the PIN vulnerability, researchers uncovered two further weaknesses stored within the same editable configuration file:

• Rate limiting bypass: The brute-force protection is implemented as a simple incrementing counter in the same shared_prefs file. An attacker can reset this value to zero, enabling unlimited PIN guessing attempts with no lockout.
• Biometric authentication bypass: A boolean flag labeled UseBiometricAuth controls whether biometric verification is required. Setting this value to false completely skips the biometric step, removing an entire layer of authentication.

Security experts have stressed that this is not a minor edge case; it is a fundamental design failure. The EU Age Verification App was built as a prototype for the broader European Digital Identity Wallet ecosystem, making these vulnerabilities particularly significant for critical national infrastructure.

Critics have also noted a separate architectural flaw discovered in March 2026, in which the system cannot verify that passport validation actually occurred on a user’s device.

Moore publicly addressed Commission President Ursula von der Leyen, warning that “this product will be the catalyst for an enormous breach at some point it’s just a matter of time”. Six EU member states, including France, Spain, and Denmark, are currently in pilot phases of the app.

The European Commission has not yet issued an official patch or public response to the disclosed vulnerabilities as of April 17, 2026.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.