EU age‑check app pitched as “technically ready” — hackers say it took two minutes to break

April 17, 2026
aisecurityprivacybusiness
Close-up of a smartphone screen displaying a variety of world flags emojis used for digital communication.
Photo by Tim Witzdam on Pexels

Launch met with alarm bells

The European Commission rolled out a mobile app intended to verify users’ ages online and protect minors from social media and adult sites. Commission President Ursula von der Leyen called the tool “technically ready” and touted that “it is fully open source. Everyone can check the code.” But within hours, cyber experts were combing the public GitHub repository and flagging what they described as glaring privacy and security problems. It has been reported that the source code stored sensitive data on users’ phones and left it unprotected.

Experts say bypasses were trivial — Commission calls it a demo

Security consultant Paul Moore allegedly breached the app in under two minutes, while French white‑hat Baptiste Robert reportedly confirmed methods to bypass biometric checks and PINs. Olivier Blazy warned that a verified adult’s device could be used by a child to spoof age checks — “my nephew can take my phone… and use it to prove he is over 18,” he said. The Commission responded that the version probed was a “demo version” released for testing and that the vulnerability “was fixed,” but it has been reported that some researchers were working from the latest public code.

PR crisis and a trust problem

This isn’t just a bug hunt. It’s a reputational hit at a moment when Brussels is pushing digital identity wallets and stricter online protections for children. Will citizens trust an EU‑backed identity tool after a rushed release and a stack of public critiques? Critics say the episode highlights a deeper tension: speed versus security, and a lack of independent audits before public exposure. As one Belgian ethical hacker put it, open sourcing is great — publishing an insecure demo is not.

What comes next

The Commission says the code will be constantly updated and improved, and spokespeople stressed the app is not yet the final product. Fine. But the emotional core here is simple: parents and privacy advocates want safety, not smoke and mirrors. The EU can fix code. Regaining trust is harder.

Sources: politico.eu