I’ve said it before, and I’ll say it again: I’m really not keen on handing over any of my personally identifying details to a third-party age verification vendor. Whether it be a scan of my face, my official ID, or my payment card, I’d rather not engage with yet another potential point of failure for my data to leak out from. Unfortunately, we are rapidly approaching a widely age-gated internet.
As such, the European Commission has been working on developing an app to use across online services in EU member states. EC president Ursula von der Leyen recently stated that this age verification app is “technically ready” and will “soon [be] available for citizens to use.” A demo of the Android app is available via GitHub—though security researchers claim they were able to bypass the security practices of this version in under two minutes (via SOFX).
UK-based security consultant Paul Moore took to X to demonstrate just how easy it is to steal the contents of someone else’s ‘identity wallet’ and present it as your own. Moore tagged von der Leyen in his post, before writing, “This product will be the catalyst for an enormous breach at some point. It’s just a matter of time.”
The app currently requires users to input a six-digit PIN. However, Moore’s screen recording demonstrates you can easily scrub a user’s previous PIN from the app’s eudi-wallet.xml configuration file, set a fresh PIN via the app, and then use that to gain access to the verified credentials saved to the device. This bypass could be used by bad actors—or the youngsters in your life who know how to unlock your phone and possess enough technical know-how to find the .xml in question.
The European Commission clarified to Politico last week that this exploit was present in the demo version, but that the bypass would not be present in the full release. Digital spokesperson Thomas Regnier introduced some wiggle room, explaining, “When we say it’s a final version, it’s still a demo version…the code will be constantly updated and improved.”
(Image credit: Rockstar Games)
The whole episode follows a joint statement from 400 security researchers sent to the European Commission last month. This statement raised a number of concerns, including how easy it is to bypass existing age estimation services (our James has written about two different methods).
Still, chief spokesperson Paula Pinho stood by President von der Leyen’s original statement, telling reporters, “Yes, [the final version of the app] is ready. Maybe we can add, ‘and it can always be improved’.” So it often goes in software development—but given the app in question is the result of a €4 million tender, that’s going to be little comfort to grumpy guts like me or folks who genuinely just want to keep their kids safe online.
