Security researchers hacked the demo version of the European Commission's new age verification app in less than two minutes

Security researchers hacked the demo version of the European Commission's new age verification app in less than two minutes, exposing significant vulnerabilities in the EU's latest digital security initiative. Many users are already hesitant to hand over personally identifying details—such as face scans, official IDs, or payment cards—to third-party vendors. With an increasingly age-gated internet on the horizon, this breach highlights a major potential point of failure for personal data.

How Security Researchers Hacked the Demo Version of the European Commission's New Age Verification App in Less Than Two Minutes

UK-based security consultant Paul Moore demonstrated via X how simple it is to steal an "identity wallet" and present it as your own. The Android app demo, which is currently available via GitHub, relies on a six-digit PIN for protection. However, the exploit is remarkably straightforward:

• Access the app’s eudi-wallet.xml configuration file.
• Scrub the user's previous PIN from the file.
• Set a fresh PIN via the app to gain access to verified credentials.

Moore warned that this product could be the "catalyst for an enormous breach at some point" and tagged EC president Ursula von der Leyen in his post. This level of vulnerability is particularly concerning because anyone with basic technical knowledge—or even children looking to unlock a parent's phone—could exploit it.

The European Commission's Response to the Vulnerability

In response to news that security researchers hacked the demo version of the European Commission's new age verification app in less than two minutes, the EC clarified the situation to Politico. Digital spokesperson Thomas Regnier noted that the exploit was limited to the demo version. He explained that since it is a demo, "the code will be constantly updated and improved."

This incident follows a joint statement from 400 security researchers sent to the EC last month regarding the ease of bypassing existing age estimation services. Despite these growing concerns, chief spokesperson Paula Pinho stood by von der Leyen’s original claim that the app is "ready," adding that it can always be improved.

The fact that security researchers hacked the demo version of the European Commission's new age verification app in less than two minutes is a significant blow to public confidence. This project is the result of a €4 million tender, making the current security flaws hard to ignore for those concerned about data privacy or child safety online.