On April 15, 2026, the European Commission declared its new digital age verification app technically ready for deployment. European Commission President Ursula von der Leyen personally unveiled the tool, claiming it meets "the highest privacy standards." The app is designed to protect minors from harmful content on social media platforms.
The technical design sounded promising: passport or ID card scanning, biometric verification through a video selfie, all processing done on-device with no data sent to external servers. Open source code, compatibility with the upcoming EU Digital Identity (EUDI) wallet. The premise - prove you are old enough without revealing any personal data.
Bypassed in Under 2 Minutes
Within hours of the official announcement, UK-based security consultant Paul Moore published a full authentication bypass demonstration. Time required: less than two minutes.
The method was alarming in its simplicity. The PIN brute-force protection counter is stored as a plain integer in a plain-text configuration file - it can be reset to zero by hand. The biometric check is implemented as a boolean flag in the same file - set it to false and the entire step is skipped. Deleting two values (PinEnc and PinIV) and restarting the app grants access to another user's identity profile.
No specialized tools, no zero-day exploits - just a text editor and a file manager. A March 2026 security audit had already found that the app's issuer component cannot verify that passport verification actually occurred on the user's device, opening additional attack vectors.
Durov: Hackable by Design
Telegram founder Pavel Durov commented on the situation in his channel. His assessment: the app was hackable by architecture, not by accident. Placing all trust in the local device makes any security guarantees hollow. A system that stores critical security parameters in editable plaintext files cannot be considered secure by definition.
Durov raised a more serious concern as well. The high-profile failure, he argued, could give EU authorities a convenient pretext to redesign the app around centralized verification - creating infrastructure where every visit to an age-restricted site is logged on government servers. What started as a child safety tool could quietly become a mechanism for mass monitoring of citizens' online activity.
Durov has been consistent on this front. He previously criticized Spain's mandatory social media age verification plans as a step toward a "surveillance state," and has repeatedly opposed the EU's Chat Control proposal to scan private messages.
The Bigger Picture
The age verification app sits within a broader EU digital agenda. Under the eIDAS 2.0 regulation, all member states must deploy national versions of the EU Digital Identity wallet by the end of 2026. The app was designed as the first public-facing step toward a unified EU citizen digital identity system.
Critics have long argued that any system requiring identity confirmation to access content inevitably builds surveillance infrastructure, regardless of the developers' intent. The two-minute hack confirmed that the technical execution falls well short of the stated ambitions.
As of publication, the European Commission has issued no official response and released no security patch.
Additional Vulnerabilities and GDPR Concerns
Further analysis revealed additional issues. Facial images from identity documents are stored on the device as unencrypted PNG files. Verification selfies are written to external storage and never deleted. Researcher Paul Moore also demonstrated that a browser extension can forge valid verification responses, bypassing the app entirely. This directly contradicts the official claim that "no personal data is stored" and raises serious GDPR compliance questions regarding biometric data.
One notable detail: the app's official GitHub repository contains a warning that this is "early development" software with lower security standards and advises against production use. That warning was there during Ursula von der Leyen's launch announcement.
Sources: Durov's Telegram post, Cybernews, CyberSecurityNews, PiunikaWeb, CyberInsider, Biometric Update
