A newly unveiled European age verification app is already under fire after a security researcher claimed he bypassed its protections in under 2 minutes.
The EU on Wednesday unveiled a new age verification app designed to let users prove their age online without handing over personal data to platforms, removing the need for sites to collect sensitive information.
The criticism comes shortly after Ursula von der Leyen praised the new age verification app as “technically ready” and aligned with “the highest privacy standards,” emphasizing its open-source nature as a transparency feature.
But that transparency may have worked a little too well, as security experts took a stance on X (formerly Twitter), criticizing the security of the new ID application.
Security consultant Paul Moore detailed what he described as fundamental design flaws in the EU’s age verification system.
“Seriously, Von der Leyen – this product will be the catalyst for an enormous breach at some point. It’s just a matter of time,” he said.
The EU launched a prototype of its age verification app in July 2025.
Easy security bypass
According to Moore, the app stores an encrypted PIN locally, but crucially, the encryption is not tied to the user’s identity vault, where sensitive verification data is kept.
That opens the door to a surprisingly simple bypass. By deleting specific values tied to the PIN from the app’s configuration files and restarting it, an attacker can set a new PIN while still retaining access to credentials created under the previous profile.
In effect, the app accepts reused identity data under a newly defined access control.
Security controls that reset themselves
Moore also pointed to additional weaknesses that make brute-force or bypass attempts even easier.
Rate limiting, typically used to prevent repeated guessing of PINs, is stored as a simple counter in the same editable configuration file. Reset it to zero, and the system forgets how many attempts have already been made.
Biometric authentication, meanwhile, is controlled by a single boolean flag. Flip it from “true” to “false,” and the app simply skips biometric checks altogether.
Apart from the things you highlighted, why do users only have a certain number of age verifications available? Why does proof of age have an expiration date?
Once I’m over 18, I will always be over 18. I’m not turning any younger! pic.twitter.com/k7KEr020Rv
undefined The Collective Sensemaking Project (@csmproject) April 16, 2026
A design problem, not just a bug
Several developers reacted online, questioning the design. Sensitive authentication data should never be directly accessible or editable by end users.
“Why did they not use the secure enclave?” asked one, highlighting that such a feature is available on modern smartphones.
Others raised broader concerns about the app’s logic, including limits on how many times a user can verify their age and the presence of expiration dates on age credentials.
“Why does proof of age have an expiration date? Once I’m over 18, I will always be over 18. I’m not turning any younger!” said the other.
Does the app open doors to surveillance?
The backlash quickly drew in high-profile voices, including Pavel Durov, co-founder and CEO of Telegram, who framed the incident as more than just a technical misstep.
In a post on his Telegram channel, Durov argued the app’s weaknesses may not be accidental.
“Their age verification app was hackable by design — it trusted the device,” he wrote, calling that “instant game over” from a security standpoint.
He went further, outlining what he suggested could be a broader trajectory for the project: first introducing a system marketed as privacy-friendly, then tightening controls after inevitable breaches.
“Present a ‘privacy-respecting’ but hackable app… get hacked… remove privacy to ‘fix’ the app,” he opined, describing the end result as “a surveillance tool sold as privacy-respecting.”
Durov also suggested that the current controversy could provide political cover for expanding data collection.
“Today’s ‘surprising hack’ just handed this excuse to them,” he claimed.
Telegram has opposed mandatory age verification measures, warning that such systems risk centralizing sensitive identity data and increasing the potential for misuse or large-scale breaches. In July 2025, in response to a tightening regulatory environment, Telegram launched an official age-verification bot using facial recognition technology, performing a facial scan via the device’s front camera to determine whether a user is over or under 18.
Durov previously expressed his concerns about the Spanish government’s plans to introduce age restrictions and age verification for social media, calling it a “dangerous new regulation and a doorway to public surveillance and mass data collection.”
In an unprecedented move, Durov sent a blanket message to all Telegram users in Spain, directly criticizing Prime Minister Pedro Sánchez’s proposed legislation to ban social media for under-16s with mandatory age verification. Spain hit back, accusing Durov of “spreading lies” and seeking to undermine democratic institutions.
Last year, Telegram filed a lawsuit in Australia to contest a massive fine imposed on the platform. Australia’s regulator ordered several major platforms, including Telegram, to outline how they tackle extremist and child abuse content. After reportedly failing to meet the deadline, Telegram was fined $686,977.
Facing a barrage of questions from journalists at the press briefing, a European Commission spokesperson sought to draw a careful line between what was presented this week and what is actually being deployed.
Officials acknowledged that the version showcased publicly is not yet a finished consumer product, even as it was described as “ready.” The Commission said the app presented “entails all the features” planned for users, but stressed that it remains, in practice, “still a demo version.”
The key distinction, according to the spokesperson, is that the app has not yet been formally rolled out to citizens. Instead, its source code has been published as open source specifically to invite scrutiny.
“Why did we decide to have it open source? To be transparent and to allow the community, developers, to test it and potentially help us to improve it,” the spokesperson said.
That openness, the Commission argued, is part of the development process, not a sign of failure. Officials confirmed that the code available on GitHub is being actively updated, with “a new version” already in progress following the latest wave of criticism. They added that it is too early to rule out further fixes, emphasizing that updates will be continuous as feedback comes in.
“Although the technical work on our side is ongoing, that open source code will be now constantly updated and improved until that final solution is then offered to our citizens,” the spokesperson said.
At the same time, the Commission maintained confidence in the project’s long-term direction. “We’re convinced from the commission side that this app will be a groundbreaking app meeting the highest privacy standards globally,” the spokesperson said.
“It is essential that we focus on this now and that we have indeed also feedback from developers to offer a solid and privacy-preserving solution to our kids.”
Age verification is being widely adopted, as well as criticized
A growing number of countries around the world have moved to crack down on online harms to children. EU lawmakers previously backed social media age limits, proposing bans for children under 13 and parental consent requirements up to age 16. The United Kingdom took an aggressive stance under its Online Safety Act, requiring porn sites to implement age checks by mid-2025.
The country also fined Reddit $20 million for verification failures, ultimately forcing Apple to roll out a device-level “child by default” mode that locked millions of iPhone users into restricted access unless they verified their age.
Australia became the first country to ban social media outright for under-16s, with Meta, TikTok, and Snapchat complying. Following the ban, adult sites like Pornhub and xHamster started blocking unverified Australian users entirely.
Age verification has been met with pushback from some tech companies that argue that enforcing age restrictions can create practical and privacy issues.
Discord became a flashpoint after announcing “teen-by-default” settings that require all adults to verify their age via facial recognition or government ID.
Security experts warned that the move was creating centralized identity “honey pots” vulnerable to cyberattack, ultimately forcing the platform to delay its global rollout.
405 security researchers signed an open letter warning that these laws reduce privacy and increase surveillance risks. Cybernews investigations previously revealed that age verification laws are driving millions of users toward unsafe free VPNs.
Unlock more exclusive Cybernews content on YouTube.
Click Here For The Original Source.
