EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened

eidas-pro — Sat, 18 Apr 2026 19:06:10 +0000

On April 15, 2026, the EU launched the age verification "mini-wallet" app. Within 24 hours, security researcher Paul Moore published a video claiming he bypassed it in 2 minutes. The story went viral across Reddit with tens of thousands of upvotes.

The headlines write themselves, but the technical reality is more nuanced.

The Three Flaws

Paul Moore identified three design flaws in the wallet app's local device implementation:

1. PIN decoupled from the credential vault

The PIN protecting the wallet is verified locally, separate from the cryptographic key store that holds the actual credentials. On a rooted device, the PIN can be brute-forced without triggering the key store's protections.

2. Rate limiting stored as plaintext

Lockout counters that prevent repeated PIN attempts are stored as plaintext values in local storage. With root access, these counters can be reset directly.

3. Biometric gate is a boolean flag

The biometric authentication check resolves to a simple boolean value. On a rooted device, this flag can be toggled without actually completing biometric verification.

What Remains Secure

All three bypasses share a critical prerequisite: physical access to a rooted device. None of them enable remote attacks.

More importantly, the OpenID4VP protocol that governs the actual verification transaction between wallet and verifier was not compromised. When a verifier checks someone's age, they validate cryptographic proofs signed by the PID (Person Identification Data) provider. These signatures cannot be forged through any of the three local bypasses.

For developers building age-gated services:

The signed attestations your backend validates are still trustworthy
No changes needed to your verification integration
The privacy model (verifiers receive yes/no, never the actual birthdate) is intact

Implementation vs. Protocol

This is a textbook case of the distinction between protocol soundness and implementation quality. The cryptographic architecture — based on OpenID4VP credential presentation — is well-designed. The local device protections that guard access to the wallet were implemented with shortcuts.

The fixes are straightforward:

Bind PIN verification to the hardware key store
Move rate limiting into the secure enclave
Replace the boolean biometric flag with a challenge-response tied to the key store

None of these require protocol-level changes.

The Structural Concern

The bigger issue is platform lock-in. The wallet app only runs on iOS and Android, with a hard dependency on Google Play Services. There is no libre client, no desktop version, and no way for users of alternative mobile platforms to participate.

For a system mandated by EU regulation, this exclusivity raises legitimate accessibility and sovereignty questions that outlast the fixable implementation bugs.

The Positive Signal

Open-source security auditing worked exactly as designed. The code was auditable, a researcher found flaws on day one, and published them responsibly. This is the model functioning correctly.