EU Age Verification App Bypassed in 2 Minutes Despite Being Declared Ready
Original: EU Declared Age App “Ready” While GitHub Flagged it Unfit, Then Hackers Bypassed It in 2 Minutes
Why This Matters
Highlights critical security gaps in EU digital identity infrastructure rollout
Security researchers bypassed the European Commission's age verification app in under two minutes on April 16, days after President von der Leyen declared it technically ready. The GitHub repository warned the code was unsuitable for real-world use.
UK security consultant Paul Moore demonstrated bypassing the EU's age verification app by deleting encrypted PIN entries from the eudi-wallet.xml configuration file, allowing attackers to set new PINs while retaining verified credentials. The same file stored PIN attempt counters as plain integers that could be reset to zero for unlimited guessing attempts. A boolean value could disable biometric authentication entirely. Moore's X post garnered 3.2 million views. The Commission's GitHub repository explicitly warned the code was early-stage and below final product security standards, contradicting von der Leyen's April 15 announcement declaring it technically ready. After Politico reported the vulnerabilities, the Commission claimed researchers tested a demo version, though Moore and cryptographic researcher Olivier Blazy confirmed testing the latest GitHub code.