The EU's Age Verification App Was Hacked in Two Minutes and Patched the Next Day

Key Takeaways

• Security consultant Paul Moore bypassed the EU's free age verification app in under two minutes by deleting two values from a plain-text, user-editable config file.
• The same file controlled PIN encryption, rate-limiting counters, and biometric bypass flags, meaning a basic file explorer was the only tool needed to defeat it.
• A March 2026 analysis separately found the app cannot verify that passport validation actually occurred on a user's device, making the entire trust chain unverifiable.
• The Commission acknowledged the issue and confirmed a new version, 2026.04-2, had been released the same day with security improvements.
• The app is built on the same technical specifications as the EUDI Wallet, which all member states must deploy to hundreds of millions of citizens by the end of 2026.

The App the Commission Called Technically Ready

The European Commission unveiled its free age verification app as "technically ready" earlier this month, with Commission President Ursula von der Leyen praising it as a high-privacy, open-source solution for protecting children online and urging member states to adopt it fast. Six are already running pilots.

The app uses biometric facial scans, NFC passport data, and selfies to verify age, built free specifically to avoid commercial data harvesting, and explicitly designed as a bridge to the European Digital Identity Wallet, sharing its technical specifications and intended for future integration.

Security consultant Paul Moore published his bypass demonstration almost immediately after the launch announcement, and the timing tells you everything about the gap between how the Commission presented this app and what it actually was.

Two Minutes, a File Explorer, and No Special Tools Required

Moore's bypass required no exploits, no custom software, and no technical credentials. He opened the app's shared_prefs folder using a standard file explorer, deleted the encrypted PIN entries from eudi-wallet.xml, restarted the app, entered a new PIN, and retained full access under the original credentials, as documented in his public demonstration.

The same configuration file also controlled the app's rate-limiting counter, a plain integer that could be reset to zero to allow unlimited PIN guesses, and a single boolean flag that disabled biometric checks entirely when toggled. Basic file editing, two minutes, full bypass.

That is not the only architectural problem. A separate analysis from March 2026 found that the app's issuer component cannot verify that passport validation actually occurred on the user's device, meaning the trust chain is unverifiable from end to end. Moore addressed von der Leyen directly, warning that this product "will be the catalyst for an enormous breach at some point."

A Fast Patch Is Not the Same as a Safe App

The Commission's response was genuinely fast. EC Digital Spokesperson Thomas Regnier confirmed that DG Connect and the contractor had taken immediate steps, with a new version pushed to GitHub on April 17 with security improvements addressing the disclosed vulnerabilities.

Regnier described the current code as a demo version, emphasized that the app would be constantly updated and improved, and said the long-term goal is meeting the highest privacy standards globally. That much, I mean sincerely, is a better response than most institutions manage.

And yet Regnier also said he "cannot today exclude or prejudge if further updates will be required." That is the Commission's own spokesperson acknowledging, in polite official language, that nobody knows what else is in there. This app was being piloted in six member states while its own readme warned against production use, and the flaw Moore found took two minutes and a file explorer. The question now is not whether the Commission can patch what gets found but what has not been found yet.

If the answer to that question is "we don't know," that is not a tolerable answer for an app built on passport biometrics that is explicitly designed to scale into the EUDI Wallet for hundreds of millions of Europeans. The Commission should explain what a complete security audit of this architecture looks like, who is conducting it, and what the standard is for "ready" before this infrastructure moves any further toward that rollout.