Security researchers hacked the demo version of the European Commission's new age verification app in less than two minutes

A stock photo of a hacker with computers in dark room. The devices are displaying computer code on the screens. — (Image credit: boonchai wedmakawand via Getty Images)

I've said it before, and I'll say it again: I'm really not keen on handing over any of my personally identifying details to a third-party age verification vendor. Whether it be a scan of my face, my official ID, or my payment card, I'd rather not engage with yet another potential point of failure for my data to leak out from. Unfortunately, we are rapidly approaching a widely age-gated internet.

As such, the European Commission has been working on developing an app to use across online services in EU member states. EC president Ursula von der Leyen recently stated that this age verification app is "technically ready" and will "soon [be] available for citizens to use." A demo of the Android app is available via GitHub—though security researchers claim they were able to bypass the security practices of this version in under two minutes (via SOFX).

The app currently requires users to input a six-digit PIN. However, Moore's screen recording demonstrates you can easily scrub a user's previous PIN from the app’s eudi-wallet.xml configuration file, set a fresh PIN via the app, and then use that to gain access to the verified credentials saved to the device. This bypass could be used by bad actors—or the youngsters in your life who know how to unlock your phone and possess enough technical know-how to find the .xml in question.

The European Commission clarified to Politico last week that this exploit was present in the demo version, but that the bypass would not be present in the full release. Digital spokesperson Thomas Regnier introduced some wiggle room, explaining, "When we say it's a final version, it's still a demo version...the code will be constantly updated and improved."

Grand Theft Auto Online — (Image credit: Rockstar Games)

The whole episode follows a joint statement from 400 security researchers sent to the European Commission last month. This statement raised a number of concerns, including how easy it is to bypass existing age estimation services (our James has written about two different methods).

Still, chief spokesperson Paula Pinho stood by President von der Leyen's original statement, telling reporters, "Yes, [the final version of the app] is ready. Maybe we can add, 'and it can always be improved'." So it often goes in software development—but given the app in question is the result of a €4 million tender, that's going to be little comfort to grumpy guts like me or folks who genuinely just want to keep their kids safe online.

Secretlab Titan Evo gaming chair in Royal colouring, on a white background

Best PC gaming kit 2026

1. Best gaming chair: Secretlab Titan Evo

2. Best gaming desk: Secretlab Magnus Pro XL

3. Best gaming headset: Razer BlackShark V3

4. Best gaming keyboard: Asus ROG Strix Scope II 96 Wireless

5. Best gaming mouse: Razer DeathAdder V4 Pro

6. Best PC controller: GameSir G7 Pro

7. Best steering wheel: Logitech G Pro Racing Wheel

8. Best microphone: Shure MV6 USB Gaming Microphone

9. Best webcam: Elgato Facecam MK.2

👉Check out our list of guides👈

TOPICS

Jess has been writing about games for over ten years, spending a significant chunk of that time working on print publications PLAY and Official PlayStation Magazine. When she’s not investigating all things hardware here, she's either constructing a passionate defence of a 7/10 game, daydreaming about her debut novel, or feeling wistful about the last time she chased some nerds around a field with an oversized foam sword.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.