Main points
- The European Commission launched an age verification app that hackers cracked in two minutes due to serious architectural flaws.
- Key issues include insecure password storage and shortcomings in biometric authentication, which pose a threat to digital security in the EU.
Digital security failure: new European Union app hacked in minutes / Collage 24 Channel/Freepik/Creatives Unite
The European Commission has announced an innovative solution to protect children in the digital space that was supposed to become a benchmark for privacy. However, real-world tests have shown that the ambitious age verification tool has fundamental miscalculations that allow unauthorized parties to gain full access to a profile.
How did hackers manage to break the application?
The launch of a new mobile application for digital age verification, which took place on April 14, 2026, was intended to create a safe environment for minors and limit their access to harmful content. However, within a few days of its release, a scandal erupted around the software, writes GBHackers.
British cybersecurity consultant Paul Moore has demonstrated that the protection system can be completely neutralized in less than two minutes. The specialist analyzed the open source code and found serious flaws in the application's architecture that contradict the claims of senior officials about the highest global privacy standards.
The main problem is centered in the mechanism for generating and storing the identification number (PIN). During the first setup, the program encrypts the user's password and stores it directly on the device in a special configuration directory known as shared preferences.
The researchers found that this encrypted password has no cryptographic link to the main identity repository, where the actual credentials are stored for verification. This means that the encryption fails to perform its protective function, as the files remain editable.
The hacking method turned out to be extremely simple for anyone with physical access to the smartphone. All the attacker needs to do is delete certain values from the configuration file, restart the application and set a new password of their own choosing. After that, the system perceives someone else's data from the original verified profile as valid under the attacker's new password.
This vulnerability allows digital identity theft without any warning or notification to the owner.
In addition to password manipulation, two more critical vulnerabilities were found in the same configuration file:
- Firstly, protection against password guessing attempts is implemented as a regular counter that can be manually reset to zero, which allows you to guess combinations an infinite number of times, reports Cyber Security News.
- Second, biometric verification, such as fingerprint or facial scan, is controlled by a simple toggle in the settings. By changing a single value in the file to “false,” a hacker can completely disable biometric authentication and log into the app without any additional verification.
Experts stress that such design flaws are fundamental miscalculations, not random trifles. The situation is complicated by the fact that this application was developed as a prototype for a much larger ecosystem – the European digital identity wallet. This makes the identified security holes potentially dangerous for critical national infrastructure of the entire European Union.
It is worth noting that this is not the first alarm signal. In March 2026, a flaw was already found in the system architecture, due to which it was impossible to confirm whether the passport check was actually taking place on the user's device. Despite the warnings of experts that the product in this state could cause a massive data leak, as of April 17, 2026, the European Commission has not released an official update to correct the situation.
The app is currently in pilot testing in six countries, including France, Denmark, and Spain.