Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/CyberSecurity News/Critical Flaws in EU Age Verification App Expose User Data
CyberSecurity News

Critical Flaws in EU Age Verification App Expose User Data

Key Takeaways A newly launched EU Digital Age Verification App contains multiple critical vulnerabilities, including an authentication bypass. The flaws allow unauthorized access to user age...

Emy Elsamnoudy
Emy Elsamnoudy
April 17, 2026 3 Min Read
32 0

Key Takeaways

  • A newly launched EU Digital Age Verification App contains multiple critical vulnerabilities, including an authentication bypass.
  • The flaws allow unauthorized access to user age verification credentials and bypass biometric security and rate limiting.
  • The app, a prototype for the EU Digital Identity Wallet, affects six EU member states currently piloting the technology.
  • As of April 17, 2026, no official patch or public response has been issued by the European Commission.

The European Commission’s recently launched Digital Age Verification App, designed to safeguard minors online, has been found to contain severe security vulnerabilities just days after its debut on April 14, 2026. UK-based security consultant Paul Moore demonstrated a complete authentication bypass within minutes of examining the application.

Table Of Content

  • Key Takeaways
  • Authentication Bypass Explained
  • Other Security Failures
  • What You Should Do

Authentication Bypass Explained

The core of the issue lies in how the app handles user PINs. During the initial setup, users are prompted to create a PIN. This PIN is then encrypted and stored locally in a configuration file named shared_prefs on the user’s device.

Moore identified two critical design flaws: the encrypted PIN is stored locally without being cryptographically linked to the identity vault containing actual verification credentials, and the encryption itself provides no real security because the data is easily modifiable.

Hacking the #EU #AgeVerification app in under 2 minutes.

During setup, the app asks you to create a PIN. After entry, the app *encrypts* it and saves it in the shared_prefs directory.

1. It shouldn’t be encrypted at all – that’s a really poor design.
2. It’s not… https://t.co/z39qBdclC2 pic.twitter.com/FGRvWtXzaz

— Paul Moore – Security Consultant  (@Paul_Reviews) April 16, 2026

An attacker with physical access to a device can exploit this by deleting the PinEnc and PinIV values from the shared_prefs file. Upon restarting the app, the attacker can then set a new PIN of their choosing. The application subsequently presents the original, verified identity credentials as valid under the attacker’s new PIN, effectively enabling the theft of age-verification credentials without triggering any security alerts.

Other Security Failures

Beyond the critical PIN vulnerability, researchers identified additional security weaknesses within the same editable configuration file:

  • Rate Limiting Bypass: The app’s brute-force protection is implemented as a simple counter in the shared_prefs file. An attacker can reset this counter to zero, allowing for unlimited PIN guessing attempts without any lockout mechanism.
  • Biometric Authentication Bypass: A boolean flag named UseBiometricAuth controls biometric verification. By setting this value to false, an attacker can completely bypass the biometric authentication step, removing a crucial layer of security.

These are not isolated issues but rather symptomatic of fundamental design flaws, according to security experts. The EU Age Verification App serves as a prototype for the broader European Digital Identity Wallet ecosystem, making these vulnerabilities particularly concerning for critical national infrastructure across the continent.

Further concerns arose in March 2026 when a separate architectural flaw was identified, revealing that the system cannot verify whether passport validation genuinely occurred on a user’s device. Paul Moore publicly warned Commission President Ursula von der Leyen, stating, “this product will be the catalyst for an enormous breach at some point it’s just a matter of time.” Six EU member states, including France, Spain, and Denmark, are currently piloting the vulnerable application.

As of April 17, 2026, the European Commission has not yet released an official patch or provided a public statement regarding these disclosed vulnerabilities.

What You Should Do

  • Exercise Caution: If you are in one of the pilot EU member states (France, Spain, Denmark, etc.) and have installed the EU Age Verification App, be aware of these critical vulnerabilities.
  • Physical Device Security: Given the reliance on physical access for exploitation, ensure robust physical security for your mobile devices.
  • Monitor for Updates: Regularly check for official updates or patches from the European Commission. Install them immediately once available.
  • Alternative Verification: Consider using alternative, established age verification methods where possible until these flaws are addressed.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachExploitPatchSecurityVulnerability

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

SpankRAT Malware Exploits Windows Explorer for Stealthy Attacks

Next Post

Critical Microsoft Defender CVE-2023-XXXXX Zero-Day Grants SYSTEM Access

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us