Security researchers bypassed the European Commission’s new age verification app in under two minutes on April 16, days after Commission President Ursula von der Leyen declared the open-source tool “technically ready,” even as the app’s own GitHub repository carried an explicit warning that the code was not suitable for real-world use.
Our app ticks all the boxes.
✅ Highest privacy standards in the world
✅ Works on any device
✅ Easy to use
✅ Fully open source pic.twitter.com/EUqHlA3ts0— Ursula von der Leyen (@vonderleyen) April 15, 2026
UK-based security consultant Paul Moore posted a screen-recorded demonstration to X showing that deleting encrypted PIN entries from the app’s eudi-wallet.xml configuration file allowed an attacker to set a new PIN while retaining access to existing verified credentials.
The same configuration file stored the PIN attempt counter as a plain integer that could be reset to zero, enabling unlimited guessing attempts.
A single boolean value in the same file disabled biometric authentication entirely. Moore’s post, which tagged von der Leyen directly, drew more than 3.2 million views.
Hacking the #EU #AgeVerification app in under 2 minutes.
During setup, the app asks you to create a PIN. After entry, the app *encrypts* it and saves it in the shared_prefs directory.
1. It shouldn’t be encrypted at all – that’s a really poor design.
2. It’s not… https://t.co/z39qBdclC2 pic.twitter.com/FGRvWtWzaZ— Paul Moore – Security Consultant (@Paul_Reviews) April 16, 2026
A review of the Commission’s GitHub repository for the app revealed an explicit notice stating the code represented an early-stage release. The disclaimer warned that security and privacy protections fell below the standards of the intended final product and that the application was not recommended for real-world deployment. President von der Leyen’s April 15 announcement, however, contained no such qualifications.
After Politico reported the vulnerabilities, the Commission stated that researchers had tested a “demo version” released only for development purposes and that the flaw “was fixed.”
Both Moore and cryptographic researcher Olivier Blazy said their tests were conducted on the latest version of the code published to GitHub.
Digital spokesperson Thomas Regnier then walked back the “final version” framing, stating, “When we say it’s a final version, it’s still a demo version.”
Blazy, part of a French government digital identity task force, described a scenario in which a minor could access a verified adult’s profile to pass an age check. “Such a rushed launch could undermine trust in future digital identity wallets,” he said.
Baptiste Robert, a French white-hat hacker, separately confirmed to Politico that the biometric authentication bypass was reproducible.
Telegram founder Pavel Durov posted on X on April 17 predicting that Brussels would use the security failure to strip privacy protections from the app, characterizing the outcome as “a surveillance tool sold as privacy-respecting.”
The “age verification app” the EU wants to impose on the world got hacked in 2 minutes.
Step 1: Present a “privacy-respecting” but hackable solution.
Step 2: Get hacked (you are here).
Step 3: Remove privacy to “fix” it.Result: a surveillance tool sold as “privacy-respecting”.
— Pavel Durov (@durov) April 17, 2026
The app was built under a €4 million Commission tender awarded to Swedish digital identity firm Scytales and Deutsche Telekom. It uses zero-knowledge proof (ZKP) technology, which allows platforms to confirm a user’s age without accessing broader personal data.
More than 400 cybersecurity and privacy researchers had written to the Commission in March requesting a moratorium on deployment pending independent security review.
