It Takes 2 Minutes to Hack the EU's New Age-Verification App
The European Commission launched a free, open-source age verification app on April 16, 2026, and security researcher Paul Moore broke it in under two minutes. The EU intended the tool to protect minors online without harvesting personal data, but its fundamental design flaws put ...
The European Union's ambitious plan to protect children online hit a wall almost instantly. According to Politico EU and Cybernews, security consultant Paul Moore publicly dismantled the European Commission's brand-new age verification application within roughly two minutes of its release, exposing critical architectural flaws that undermined the very privacy promises President Ursula von der Leyen made at launch. Wired's weekly security roundup flagged the story as one of the most embarrassing government technology failures of the week, and it deserves a much closer look than the headline alone suggests.
Why This Matters
The EU is writing the rulebook for how the rest of the world handles online child safety, and it just published a chapter full of errors. If Brussels cannot build a secure app to enforce its own age verification requirements, the credibility of its entire Digital Services Act enforcement apparatus takes a direct hit. The app was meant to serve as a privacy-first alternative to identity document uploads, a model that dozens of platforms across 27 member states would eventually be required to adopt. A two-minute hack does not just embarrass one agency, it raises serious questions about whether any government-built technical infrastructure can meet the security bar that regulators are simultaneously demanding from private companies.
Daily briefing from 50+ sources. Free, 5-minute read.
The Full Story
On April 16, 2026, European Commission President Ursula von der Leyen stood in front of cameras and declared the EU's new age verification app "technically ready." The tool was designed to let users confirm their age online without handing over passport scans or credit card numbers to tech platforms. It was open source, free, and hosted publicly on GitHub. Von der Leyen said it met "the highest privacy standards." Within hours, that claim was in pieces.
Paul Moore, a security consultant, downloaded the code and started picking it apart. He did not need a sophisticated lab setup or an advanced exploitation toolkit. He documented his process publicly on X, and his conclusion was blunt: the app stores sensitive user data directly on the device without proper encryption or access controls. Anyone with physical access to a phone, or certain types of remote access, could extract that verification data without the user ever knowing.
The two-minute figure is the part that should alarm European policymakers. That is not a reflection of Moore's exceptional skill. It is a reflection of how obvious the flaws were. When a security researcher with basic knowledge can identify and bypass a protection mechanism faster than it takes to make a cup of coffee, the underlying problem is not a bug. It is a design failure, one that should have been caught long before the Commission President went on stage to announce a global privacy standard.
The EU built the app as a direct response to growing pressure from child safety advocates and lawmakers who have watched social media platforms and adult content sites fail to enforce age restrictions effectively. Traditional age-gating methods, submitting a government ID or a credit card number, require platforms to collect and store sensitive personal data. The EU wanted a smarter solution. The open-source approach was meant to invite public scrutiny and build trust. Instead, it gave security researchers everything they needed to immediately identify what the internal review process had apparently missed entirely.
Moore's findings quickly spread across social media, turning what was supposed to be a flagship policy announcement into a public relations crisis for Brussels. Technology companies and digital rights groups who had cautiously welcomed the privacy-first framing now found themselves questioning whether they could integrate a tool with documented vulnerabilities into their own services without taking on serious liability.
The European Commission has not responded with a detailed technical rebuttal as of the time of Wired's reporting. The code remains on GitHub, which means the vulnerabilities Moore identified are visible to anyone who wants to look, not just well-meaning researchers.
Key Details
- Security researcher Paul Moore identified critical vulnerabilities in approximately 2 minutes after the app's release on April 16, 2026.
- European Commission President Ursula von der Leyen declared the app "technically ready" and compliant with "the highest privacy standards" at launch.
- Moore documented that the app stores sensitive user data on devices without proper encryption or access controls.
- The app was released as free and open source, with its full code available on GitHub.
- More than 70 civil society groups, including the ACLU, have simultaneously been pressuring Meta over similar privacy failures in its AI smartglasses products, per Wired's security roundup.
- The EU's Digital Services Act creates the regulatory framework that makes this tool necessary for platforms operating across all 27 member states.
What's Next
The European Commission will almost certainly need to pull the current version of the app and issue a patched release, though no official timeline has been announced. Any platform that was planning to integrate the tool for DSA compliance purposes will now face a decision about whether to wait for a secure version or pursue alternative age verification methods. Watch for formal responses from EU cybersecurity agencies, including ENISA, which would normally be involved in vetting tools of this sensitivity before they reach the public.
How This Compares
This failure fits a pattern that anyone who has watched government technology rollouts over the past decade will recognize immediately. The UK's initial attempts to implement an age verification regime under the Online Safety Act ran into years of delays precisely because building a system that actually protects privacy while confirming age is technically hard. The EU appeared to skip past the hard part.
Compare this to how the private sector handles similar problems. Age verification startups like Yoti and AgeID have spent years building and iterating on identity-light verification systems, investing heavily in security audits and penetration testing before deployment. Those companies are not perfect, but they do not announce "the highest privacy standards" and then collapse under a two-minute inspection. The gap between government ambition and government execution here is significant.
The broader cybersecurity story from Wired's roundup also provides uncomfortable context. OpenAI this week announced a dedicated cybersecurity model called GPT-5.4-Cyber, and Anthropic previewed its Mythos model with specific warnings about security implications. The AI industry is actively building offense-first capabilities that will make vulnerabilities like the ones Moore found even easier to exploit at scale. The EU is walking into that environment with an app that cannot survive a manual inspection. That is a serious mismatch that should inform every future government technology deployment, not just this one.
FAQ
Q: What is the EU age verification app supposed to do? A: The app is designed to let users prove they are old enough to access age-restricted platforms like social media or adult content sites without uploading a government ID or credit card. The EU built it as a privacy-preserving alternative that minimizes the personal data platforms need to collect in order to comply with regulations protecting minors.
Q: How did the hacker break the EU age verification app so fast? A: Security consultant Paul Moore found that the app stores sensitive user data on the device without encrypting it or protecting it with proper access controls. These are basic security design principles, and their absence meant Moore could bypass the protections in roughly two minutes, without needing specialized tools or advanced techniques.
Q: Does this mean the EU's child safety rules are now useless? A: Not entirely, but the enforcement mechanism just took serious damage. The Digital Services Act still requires platforms to implement age verification, but the EU's own tool for doing that is currently not trustworthy. Platforms will likely rely on third-party verification services while Brussels works on a fix, which delays the practical protection the regulation was designed to deliver.
The EU's age verification app story is ultimately a lesson about the gap between regulatory intent and technical execution, and it arrives at exactly the wrong moment, as governments worldwide are racing to build AI-adjacent infrastructure that handles sensitive personal data. The pressure to ship something demonstrable should never outrun the obligation to ship something secure. Subscribe to the AI Agents Daily weekly newsletter for daily updates on AI agents, tools, and automation.
Get stories like this daily
Free briefing. Curated from 50+ sources. 5-minute read every morning.
