Critical Flaws in EU Age Verification App Expose User Data
Key Takeaways A newly launched EU Digital Age Verification App contains multiple critical vulnerabilities, including an authentication bypass. The flaws allow unauthorized access to user age...
Key Takeaways
- A newly launched EU Digital Age Verification App contains multiple critical vulnerabilities, including an authentication bypass.
- The flaws allow unauthorized access to user age verification credentials and bypass biometric security and rate limiting.
- The app, a prototype for the EU Digital Identity Wallet, affects six EU member states currently piloting the technology.
- As of April 17, 2026, no official patch or public response has been issued by the European Commission.
The European Commission’s recently launched Digital Age Verification App, designed to safeguard minors online, has been found to contain severe security vulnerabilities just days after its debut on April 14, 2026. UK-based security consultant Paul Moore demonstrated a complete authentication bypass within minutes of examining the application.
Table Of Content
Authentication Bypass Explained
The core of the issue lies in how the app handles user PINs. During the initial setup, users are prompted to create a PIN. This PIN is then encrypted and stored locally in a configuration file named shared_prefs on the user’s device.
Moore identified two critical design flaws: the encrypted PIN is stored locally without being cryptographically linked to the identity vault containing actual verification credentials, and the encryption itself provides no real security because the data is easily modifiable.
An attacker with physical access to a device can exploit this by deleting the PinEnc and PinIV values from the shared_prefs file. Upon restarting the app, the attacker can then set a new PIN of their choosing. The application subsequently presents the original, verified identity credentials as valid under the attacker’s new PIN, effectively enabling the theft of age-verification credentials without triggering any security alerts.
Other Security Failures
Beyond the critical PIN vulnerability, researchers identified additional security weaknesses within the same editable configuration file:
- Rate Limiting Bypass: The app’s brute-force protection is implemented as a simple counter in the
shared_prefsfile. An attacker can reset this counter to zero, allowing for unlimited PIN guessing attempts without any lockout mechanism. - Biometric Authentication Bypass: A boolean flag named
UseBiometricAuthcontrols biometric verification. By setting this value tofalse, an attacker can completely bypass the biometric authentication step, removing a crucial layer of security.
These are not isolated issues but rather symptomatic of fundamental design flaws, according to security experts. The EU Age Verification App serves as a prototype for the broader European Digital Identity Wallet ecosystem, making these vulnerabilities particularly concerning for critical national infrastructure across the continent.
Further concerns arose in March 2026 when a separate architectural flaw was identified, revealing that the system cannot verify whether passport validation genuinely occurred on a user’s device. Paul Moore publicly warned Commission President Ursula von der Leyen, stating, “this product will be the catalyst for an enormous breach at some point it’s just a matter of time.” Six EU member states, including France, Spain, and Denmark, are currently piloting the vulnerable application.
As of April 17, 2026, the European Commission has not yet released an official patch or provided a public statement regarding these disclosed vulnerabilities.
What You Should Do
- Exercise Caution: If you are in one of the pilot EU member states (France, Spain, Denmark, etc.) and have installed the EU Age Verification App, be aware of these critical vulnerabilities.
- Physical Device Security: Given the reliance on physical access for exploitation, ensure robust physical security for your mobile devices.
- Monitor for Updates: Regularly check for official updates or patches from the European Commission. Install them immediately once available.
- Alternative Verification: Consider using alternative, established age verification methods where possible until these flaws are addressed.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.