EU's 'Safe by Design' Age-Verification App Cracked in Minutes, Undermining Core Privacy Promise

The European Union's flagship age-verification app, promoted as a privacy-preserving tool to protect children online, has been found critically vulnerable, with security researchers demonstrating it can be hacked in under two minutes. This fundamental flaw, identified almost immediately after launch, directly contradicts the app's 'safe by design' marketing and has triggered intense scrutiny of the EU's broader strategy for online age verification and digital identity.

The app, introduced by the European Commission as an open-source tool to let users prove their age across platforms without sharing personal data, contains a basic security failure. According to researchers, the PIN code a user creates during setup is not properly tied to the identity data it is meant to protect. An attacker can reportedly delete specific entries from a file on the device, bypassing the PIN and gaining access. This vulnerability undermines the core promise of the system: to verify age while preserving user privacy and security.

The rapid discovery of this critical flaw raises significant questions about the robustness of the EU's technical implementation and its oversight process. It places immediate pressure on the European Commission to explain how such a fundamental weakness passed through development and testing. The incident also fuels broader debates about the security risks inherent in centralized digital identity and age-verification systems, potentially slowing adoption and eroding public trust in similar government-led digital initiatives.