Security Researchers Hacked the Demo Version of the European Commission's New Age Verification App in Less than Two Minutes

The European Commission’s new age‑verification app is a cornerstone of the EU’s Digital Services Act, which mandates robust age‑gating for online platforms. Backed by roughly $4.3 million in public funds, the Android demo was released on GitHub to showcase the system’s functionality and invite scrutiny. The initiative aims to replace fragmented national solutions with a single, privacy‑by‑design wallet that stores verified age credentials, allowing users to prove they are over a certain age without revealing personal details.

A coordinated group of security researchers demonstrated that the demo’s security controls could be subverted in under two minutes. By locating the eudi‑wallet.xml configuration file, they extracted the existing PIN, overwrote it, and unlocked the credential store. This simple XML edit exposed a critical design oversight: the app stored sensitive data in a readable format on the device. While the Commission argues the flaw is confined to the demo, the episode highlights the challenges of deploying a pan‑EU digital identity solution that must balance usability, privacy, and resilience against low‑skill attackers.

The incident has sparked a broader debate among policymakers, tech firms, and privacy advocates about the readiness of large‑scale identity infrastructures. If the final version does not address the demonstrated weaknesses, it could delay compliance timelines for platforms and expose users—especially minors—to fraud or unauthorized data access. Industry observers expect the Commission to accelerate hardening measures, incorporate third‑party audits, and possibly adopt hardware‑backed secure enclaves. For businesses, the takeaway is clear: robust security testing must be integral to any regulatory‑driven rollout, or the credibility of the entire digital‑identity ecosystem could suffer.