EU Age Verification Hacked in 2 Minutes: What Happened

Posted by bigbugbag 15 hours ago

Counter13Comment9OpenOriginal

Comments

Comment by kelseyfrog 12 hours ago

For the same reason, I don't use sudo. Despite being patched, the presence of prior vulnerabilities [1] and hacks makes it fundamentally not trustworthy.

1. https://app.opencve.io/cve/?vendor=sudo_project

Comment by free_bip 6 hours ago

What software are you willing to use then, considering your criteria would eliminate over 90% of OSS projects?

Comment by throwawayk7h 7 hours ago

so do you just use su?

Comment by kelseyfrog 5 hours ago

No. Su also has a history[1] of vulnerabilities.

1. https://app.opencve.io/cve/CVE-2025-71263

Comment by bigbugbag 15 hours ago

How Paul Moore broke the EU age verification app in 2 minutes, the 8 confirmed vulnerabilities and the emergency patch 24 hours later. Full analysis.

Comment by Woodi 6 hours ago

Excuse me but why there are no parents in the loop ? They are first line of kids defence and best suited for that: truly biological need. Not to mention such secondary thing like law obligations. No technical system can bit that. Only make things half baked and stupid or abusive on privacy, logic and actual reality.

Kids are parents kids not some context-less socialist/bureaucracy/german invasive ideology creatures.

If you want to do inventory checking for all that future migrants generations do it like you do with actual humans and not via some outdated and hackable inferior piece of hardware.

Comment by GuB-42 12 hours ago

It is a good exercise, but in practice, what's the big deal?

Even if the app is bulletproof, age verification will get bypassed. Account sharing, file sharing, darknets, etc... It mostly prevents kids from stumbling upon content that isn't meant for them, but it won't resist deliberate attacks for long, especially if the parents are complacent. And for that, the EU Age Verification app looks fine, especially now what the easy bugs are fixed.

Comment by bigbugbag 12 hours ago

one has to understand that the point is not to protect kids, it never is, but to control online activities. also this is not an organic law, this is the result of intense lobbying by transnational corporations such as facebook, pushing hard for this and there are reports from inside the parliament that this is rushed to be release ASAP despite not being ready or properly tested.

Comment by GuB-42 3 hours ago

Except that this kind of age verification is not what "transnational corporations such as Facebook" is pushing for. In fact such a system is probably the worst for them: they can't use the token for tracking, and it can make it harder for them to target children because it is likely to come with further restrictions.

What the tech giants want is OS level attestation. They want to control what you can install on your device, to me the thing to avoid at all costs. This is not it, this is an open source app that you can run anywhere.

The proposed solution is the closest you can get to one that is designed to protect kids more than to control online activities. The weakness of the system, where a determined kid can get through is a feature, not a bug! More than that and it becomes more about control and less about kids (who will get through no matter what).

I am not commenting on how necessary age verification is. Personally, I am all for a wide open internet but many people actually want to "protect the children". The argument wouldn't be used as a justification for surveillance laws if they didn't.