<![CDATA[Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app.]]>Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. https://www.politico.eu/article/eu-brussels-launched-age-checking-app-hackers-say-took-them-2-minutes-break-it/

(ICYMI: I have a blog post on why age verification laws are a bad idea to begin with: https://this.weekinsecurity.com/papers-please-age-verification-laws-threaten-everyones-online-security-and-privacy/)

]]>https://board.circlewithadot.net/topic/33bd5c9d-1d71-4473-9150-a5328e3c36a2/embarrassing-times-for-the-european-commission-after-security-researchers-found-flaws-within-minutes-of-using-its-age-verification-app.RSS for NodeFri, 15 May 2026 07:02:10 GMTFri, 17 Apr 2026 13:21:24 GMT60<![CDATA[Reply to Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. on Fri, 17 Apr 2026 21:28:01 GMT]]>@zackwhittaker

Awesome! The way I see it, an age verification app should be trivially breakable, and any kid who breaks it should have full adult privileges.

Start 'em Young!

]]>https://board.circlewithadot.net/post/https://mastodon.social/users/lemgandi/statuses/116422166541026767https://board.circlewithadot.net/post/https://mastodon.social/users/lemgandi/statuses/116422166541026767Fri, 17 Apr 2026 21:28:01 GMT<![CDATA[Reply to Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. on Fri, 17 Apr 2026 19:39:46 GMT]]>@zackwhittaker
@EUCommission
@echo_pbreyer

instead of having age verification,

since we're supposedly pursuing online safety

why not take cues from industrial safety,

and mandate a BIG red button on a yellow background for every post/user/channel that when clicked,
immediately hides and unloads that post/user/channel's content for the person pressing it, with a pop-up to report the post/user/channel to the moderation staff of the service?

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/breathOfLife/statuses/116421740901958782https://board.circlewithadot.net/post/https://infosec.exchange/users/breathOfLife/statuses/116421740901958782Fri, 17 Apr 2026 19:39:46 GMT<![CDATA[Reply to Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. on Fri, 17 Apr 2026 19:21:09 GMT]]>@zackwhittaker
What I really don't understand, especially when it comes to security-relevant software, is why the code isn't reviewed and the software isn't tested by independent external experts before release? Such an embarrassing situation, just like in the case of the electronic patient record (ePa), could be avoided.

]]>https://board.circlewithadot.net/post/https://social.anoxinon.de/users/gemini/statuses/116421667666143163https://board.circlewithadot.net/post/https://social.anoxinon.de/users/gemini/statuses/116421667666143163Fri, 17 Apr 2026 19:21:09 GMT<![CDATA[Reply to Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. on Fri, 17 Apr 2026 18:22:07 GMT]]>@zackwhittaker

Told you so…

]]>https://board.circlewithadot.net/post/https://mastodon.social/users/xs4me2/statuses/116421435523528744https://board.circlewithadot.net/post/https://mastodon.social/users/xs4me2/statuses/116421435523528744Fri, 17 Apr 2026 18:22:07 GMT<![CDATA[Reply to Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. on Fri, 17 Apr 2026 18:02:46 GMT]]>@zackwhittaker *crazed* hahahahahahaha

And these are the people that people in country keep putting in charge. Here in the USA, we are the example of what not to do. We should be a warning, not a model to follow.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/atraidez/statuses/116421359473113218https://board.circlewithadot.net/post/https://infosec.exchange/users/atraidez/statuses/116421359473113218Fri, 17 Apr 2026 18:02:46 GMT<![CDATA[Reply to Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. on Fri, 17 Apr 2026 17:30:18 GMT]]>@zackwhittaker let's stop doing 's work for them. Citizens of the are going to need every single one of these exploits to circumvent this

This is the single edge case in which ethical disclosure of software vulnerabilities works against the community. Let's STOP fixing this 🫡🙏

]]>https://board.circlewithadot.net/post/https://mastodon.social/ap/users/116401107525975086/statuses/116421231824209671https://board.circlewithadot.net/post/https://mastodon.social/ap/users/116401107525975086/statuses/116421231824209671Fri, 17 Apr 2026 17:30:18 GMT<![CDATA[Reply to Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. on Fri, 17 Apr 2026 17:23:32 GMT]]>@kaidu @zackwhittaker

It stores medical presciptions, driver's licences, educational qualifications

All exchanges of data with third-parties are tracked ie. it knows who you verified your data with

It uses the app stores to install on your phone ie. Google and Apple - so you know it's trustworthy. lol.

I examined the repo closely. I took out 6 key points. I also shot a highlight video if you're interested?

https://mastodon.social/@DazRunner/116410668945303557

]]>https://board.circlewithadot.net/post/https://mastodon.social/ap/users/116401107525975086/statuses/116421205199947966https://board.circlewithadot.net/post/https://mastodon.social/ap/users/116401107525975086/statuses/116421205199947966Fri, 17 Apr 2026 17:23:32 GMT<![CDATA[Reply to Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. on Fri, 17 Apr 2026 16:39:19 GMT]]>@zackwhittaker by starting + get reviews and tips >> there will come something nice I guess

Comitees are also just people 😉

]]>https://board.circlewithadot.net/post/https://social.vivaldi.net/users/EllisLove/statuses/116421031350673594https://board.circlewithadot.net/post/https://social.vivaldi.net/users/EllisLove/statuses/116421031350673594Fri, 17 Apr 2026 16:39:19 GMT<![CDATA[Reply to Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. on Fri, 17 Apr 2026 16:37:25 GMT]]>@zackwhittaker I also now read your blog post and for me it seems that the eu age verification app seems to adresss all your concerns:
- it does not store private data (except for age)
- it does not use an ID
- it is not run by a private company
It is even open source!.

]]>https://board.circlewithadot.net/post/https://mastodon.social/users/kaidu/statuses/116421023859165353https://board.circlewithadot.net/post/https://mastodon.social/users/kaidu/statuses/116421023859165353Fri, 17 Apr 2026 16:37:25 GMT<![CDATA[Reply to Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. on Fri, 17 Apr 2026 16:30:36 GMT]]>@zackwhittaker HACK THE AGEVERIFICATION APPS!

]]>https://board.circlewithadot.net/post/https://chaos.social/ap/users/116213669892773543/statuses/116420997069804610https://board.circlewithadot.net/post/https://chaos.social/ap/users/116213669892773543/statuses/116420997069804610Fri, 17 Apr 2026 16:30:36 GMT<![CDATA[Reply to Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. on Fri, 17 Apr 2026 16:24:56 GMT]]>@zackwhittaker isn't that the point of being open source? So that everyone can hack it and show where the flaws are? So that it can be improved. I'm not sure about your experience with apps, but I receive updates several times per week, sometimes multiple times a day. This project is not even in its released form yet and so many people have doomed it already. I don't understand the dooming as if everything is lost and over. You can never have perfect software from the first try.

]]>https://board.circlewithadot.net/post/https://androiddev.social/users/luboganev/statuses/116420974787072925https://board.circlewithadot.net/post/https://androiddev.social/users/luboganev/statuses/116420974787072925Fri, 17 Apr 2026 16:24:56 GMT<![CDATA[Reply to Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. on Fri, 17 Apr 2026 16:17:23 GMT]]>@zackwhittaker Don't fully understand the complaints. The app is just that: an app on your phone to simplify the verification process. I don't think it is even necessary to "hack" it, you could just write your own fork of the app, right?
The age verification process itself seems to be unrelated to that problem.

]]>https://board.circlewithadot.net/post/https://mastodon.social/users/kaidu/statuses/116420945114418600https://board.circlewithadot.net/post/https://mastodon.social/users/kaidu/statuses/116420945114418600Fri, 17 Apr 2026 16:17:23 GMT<![CDATA[Reply to Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. on Fri, 17 Apr 2026 16:05:02 GMT]]>@zackwhittaker

Full disclosure: I am very much opposed to this very, very bad idea.

https://infosec.exchange/@avuko/116412737384374405

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/avuko/statuses/116420896548581833https://board.circlewithadot.net/post/https://infosec.exchange/users/avuko/statuses/116420896548581833Fri, 17 Apr 2026 16:05:02 GMT<![CDATA[Reply to Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. on Fri, 17 Apr 2026 16:02:14 GMT]]>@zackwhittaker

https://digital-strategy.ec.europa.eu/en/news/commission-releases-enhanced-second-version-age-verification-blueprint

"Work is ongoing to include zero-knowledge proof technology [...] this technology will further underscore the commitment to privacy-focused innovation.

From the documentation:

https://github.com/eu-digital-identity-wallet/av-doc-technical-specification/blob/main/docs/architecture-and-technical-specifications.md

Zero-Knowledge Proofs

A next version of the Technical Specifications for Age Verification Solutions will include as an experimental feature the Zero-Knowledge Proof (ZKP) solution [...]

"A next version", "experimental", but fully committed to privacy-focused innovation.

It includes this gem:

This backward compatibility allows AVIs to gracefully fall back to traditional protocols in environments where ZKPs are not supported.

Not a cryptographer, but this backwards compatibility (on something that doesn't exist yet, but let's ignore that) feels like a downgrade attack waiting to happen.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/avuko/statuses/116420885537984155https://board.circlewithadot.net/post/https://infosec.exchange/users/avuko/statuses/116420885537984155Fri, 17 Apr 2026 16:02:14 GMT<![CDATA[Reply to Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. on Fri, 17 Apr 2026 15:49:34 GMT]]>RE: https://mastodon.social/@zackwhittaker/116420253095786124

@zackwhittaker
Yep, two minutes to hack or break.

Bet my grandchildren ccould do it in one minute.

Age verifaction apps, software will never work for there intended purpose. And who alone knows their unintended consequences. Bad idea best left alone.

]]>https://board.circlewithadot.net/post/https://mastodon.social/ap/users/116294774733552831/statuses/116420835697775204https://board.circlewithadot.net/post/https://mastodon.social/ap/users/116294774733552831/statuses/116420835697775204Fri, 17 Apr 2026 15:49:34 GMT<![CDATA[Reply to Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. on Fri, 17 Apr 2026 15:46:37 GMT]]>@zackwhittaker what do youcexpect with at the helm of @EUCommission ?

  • Her biggest was insulting everyone who was more than her (aka. able to change settings) as "hardened pedo criminal" almost 20 years ago, to the point that CSA victims had to tell her to 'STFU!'
    • I still demand her personal apology to this day, with interest!!!
]]>https://board.circlewithadot.net/post/https://jorts.horse/users/kkarhan/statuses/116420824077995304https://board.circlewithadot.net/post/https://jorts.horse/users/kkarhan/statuses/116420824077995304Fri, 17 Apr 2026 15:46:37 GMT<![CDATA[Reply to Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. on Fri, 17 Apr 2026 14:08:32 GMT]]>@zackwhittaker@mastodon.social I'm not sure you can call it a hack. You can change the app pin from outside the app if you have access to the phone and it's unlocked.

]]>https://board.circlewithadot.net/post/https://toot.pouyan.net/objects/694226bc-dd34-487d-a78e-2a78c431d4f9https://board.circlewithadot.net/post/https://toot.pouyan.net/objects/694226bc-dd34-487d-a78e-2a78c431d4f9Fri, 17 Apr 2026 14:08:32 GMT