Cracked in Two: EU’s Child Protection App Exposes Gaping Security Flaws

It was supposed to be a digital shield for Europe’s children - a cutting-edge app to keep minors safe online by verifying their age. But within just two minutes of its public debut, the European Union’s much-touted age verification app was hacked, exposing not just technical oversights but a deeper crisis of trust in digital child protection.

The alarm was sounded by independent security analyst Paul Moore, who dissected the app’s inner workings and found its protections to be little more than digital tissue paper. According to Moore, the app’s PIN - meant to safeguard a user’s verified identity - was stored in a way that made it trivial for attackers to reset and reuse, entirely bypassing intended security measures. Worse, the PIN wasn’t even cryptographically linked to the user’s actual identity vault, meaning that deleting a few lines in a configuration file could let anyone walk away with someone else’s verified credentials.

But the troubles didn’t stop there. Moore revealed that the app’s defense against brute-force PIN attempts was nothing but a simple counter in a text file, easily reset by anyone with minimal technical know-how. Even biometric authentication - face or fingerprint - was just a switch in the same file. Turning it off meant instant access, no scan required.

Perhaps most alarming was the mishandling of sensitive images. When the app read a user’s face via NFC from an electronic document, it stored the image as a lossless PNG on the device. If anything went wrong during the process, the image could be left behind, unencrypted and vulnerable. Selfie images used for verification were even less protected, sometimes saved outside the app’s secure storage and never deleted. For a system built to protect children’s privacy, these oversights could have severe consequences.

The European Commission responded swiftly, insisting the glaring vulnerabilities were limited to an earlier demo version and had since been fixed. “We had identified that vulnerability,” a spokesperson said, emphasizing that the final version presented to the public was secure. The Commission also pointed to advanced privacy-preserving technologies, including zero-knowledge proofs, as evidence of their commitment to safeguarding users’ identities.

Still, the episode raises unsettling questions about the rigor of security testing in digital child protection initiatives - and whether public trust can be restored once it’s been so quickly breached. As more children go online and governments turn to technology for solutions, the cost of even a minor oversight could be catastrophic.

Ultimately, the EU’s age verification app saga is a cautionary tale: in the race to protect the vulnerable, cutting corners on cybersecurity can leave everyone exposed. The real test isn’t how fast you launch, but how well you defend what matters most.

WIKICROOK

• PIN: A PIN is a numeric code used to verify a user’s identity and secure access to digital accounts, devices, or services.
• Cryptography: Cryptography is the practice of encoding information into secret codes, protecting data from unauthorized access and ensuring secure communication.
• Biometric Authentication: Biometric authentication verifies identity using unique physical traits like fingerprints or facial recognition, offering secure and convenient access to devices and accounts.
• Brute: A brute-force attack is an automated hacking method where attackers try many passwords or keys until they find the correct one to gain unauthorized access.
• Zero: A zero-day vulnerability is a hidden security flaw unknown to the software maker, with no fix available, making it highly valuable and dangerous to attackers.