A security consultant had bypassed protections by exploiting PIN handling, editable rate limits, and disabled biometrics, all within two minutes.
A newly launched EU age-verification app was publicly shown to be vulnerable within minutes of its launch, undercutting official claims that it was ready for broad rollout.
According to a 16 April 2026 report, security consultant Paul Moore had said he could bypass the app’s protections in less than two minutes by exploiting weaknesses in how it stored and handled PIN and authentication settings.
The app is part of the European Union’s effort to let users prove their age online without handing over more personal data to websites. EU leaders have presented it as a privacy-preserving tool built to reduce the need for platforms to collect sensitive identity information. However, Moore’s demonstration suggests the system’s defenses were poorly designed. He said the app kept an encrypted PIN locally on the device, yet that PIN was not securely linked to the vault holding the user’s verification credentials, making it possible to remove the PIN values, restart the app, and set a new PIN while retaining access to older verified credentials.
Moore also pointed to other weaknesses that made the bypass easier. Rate limiting appeared to be stored as an editable counter in the same configuration file, and biometric authentication could reportedly be disabled by changing a simple on-off setting.
The issue has stirred wider criticism because the app is being promoted as a privacy-friendly way to restrict minors’ access to adult content and other age-gated services. Critics argue that if basic protections can be defeated so quickly, the system could become a target for larger attacks once it is widely deployed.
The EU had also praised the project’s open-source approach as a transparency feature, but the public code review appears to have exposed problems almost immediately rather than reassuring skeptics .
The controversy now adds pressure on officials to explain how a tool meant to protect children and preserve privacy could be bypassed so easily before it is rolled out more broadly.
