EU Age Verification App Hacked With Little to No Effort in Public Demo

The European Commission introduced the EU age verification app with an unusually confident set of claims. Ursula von der Leyen said publicly the app would let users verify their age without giving up any other personal information, that it met the highest privacy standards in the world, that users could not be tracked, and that it was fully open source and technically ready for deployment. She also said platforms had no more excuses, meaning they could no longer claim practical age-verification tools did not exist. The Commission’s published materials repeated the same message and described the app as finished and privacy-preserving. However, those claims were never likely to hold up for long. Anyone in security, or even anyone with basic programming knowledge, could have guessed that. The app was hacked in just one day with very little effort.

A public demo published online showed the app being bypassed with minimal effort. The PIN protecting the stored credential could be circumvented. The lockout mechanism could be reset. The biometric verification layer could be disabled entirely. After that, the app still produced the original verified credential without resistance. The demo required no advanced tools, no long reverse engineering session, and no specialized knowledge. It was short, simple, and easy to follow, which is exactly what makes it so damaging. When a sophisticated attacker breaks a system after months of work, that is one kind of problem. When a short public walkthrough breaks it almost immediately, that suggests the protections were weak from the start.

Separate findings raised more concerns about how the app handled biometric source material during scanning. For NFC document scans, the app reportedly extracted the facial image stored in the document chip and wrote it to the device as a lossless PNG file. That file was only deleted after a successful scan. A failed attempt, an interrupted scan, a user cancellation, or an application crash could leave the full biometric image sitting on the device. For selfie capture, the issue was reportedly worse. Those images were written to external storage in lossless PNG format and were not reliably deleted afterward. An application can encrypt its output tokens and still create serious privacy exposure if it mishandles the source material that produced them, and that is exactly what this file-handling issue describes.

The distance between what was promised and what was delivered is hard to explain away. Von der Leyen did not present this as a prototype, a pilot, or an early build that still needed hardening before wider deployment. She described it as finished, anonymous, non-trackable, and ready. Governments and institutions often move sensitive systems toward public use on the assumption that the stated purpose will absorb scrutiny the technical work has not yet earned. With identity documents, biometric captures, and age-linked credentials involved, that assumption carries consequences a poorly secured entertainment app would not.

Child safety was central to how the app was framed throughout its rollout, and that framing deserves scrutiny on its own terms. Describing a sensitive identity tool as a child protection measure is politically effective, but it does not change what the tool does or how well it does it. An app that fails basic local access control and leaves biometric images in unprotected storage is not made safer by the language used to introduce it. When urgency around child safety is used to move faster than the underlying security work supports, the children being invoked as justification are not well served by the result.

The wider concern is what the normalization of systems like this looks like over time. When governments position age verification tied to identity documents and biometric capture as a routine requirement for accessing lawful services online, they change what the public is expected to accept as normal. The EU age verification app was presented as evidence that privacy-respecting age verification was achievable at scale. The public demo and the biometric handling findings suggest the bar for what counted as ready was set far lower than the official language implied.