Outrage as EU App Fails—Data Risks Soar!

A female leader giving a thumbs up during a press conference

The European Union’s brand-new age verification app—touted as a cutting-edge solution to protect children online—was compromised by a security researcher in under two minutes, exposing glaring vulnerabilities and raising serious questions about government competence in handling sensitive biometric data.

Story Snapshot

EU Commission President Ursula von der Leyen unveiled the “technically ready” open-source app on April 15, 2026, designed to verify ages using biometrics and NFC technology.
Security researcher Paul Moore bypassed the app’s protections in less than two minutes by editing simple device files, disabling PINs and biometric locks.
Independent experts discovered the app stored unencrypted selfies and facial recognition data on users’ devices, creating privacy risks.
The EU admitted the app wasn’t “bulletproof” and promised fixes by April 17, but the incident highlights a troubling pattern of bureaucratic tech failures.

Brussels’ High-Profile Launch Backfires Spectacularly

European Commission President Ursula von der Leyen presented the EU’s new age verification app in Brussels on Wednesday, April 15, 2026, describing it as “technically ready” and fully open-source to ensure transparency. The app aimed to replace unreliable pop-up age confirmations with biometric facial recognition and NFC-based ID verification, part of broader EU efforts to protect children from online harms amid mounting pressure from member states. Von der Leyen emphasized the open-source approach would allow developers to test and improve the technology, positioning it as a responsible answer to national social media bans for minors sweeping across Europe.

Within hours of the app’s code appearing on GitHub, cyber experts began identifying serious security and privacy flaws. Security researcher Paul Moore quickly demonstrated a devastating vulnerability, posting a video showing how he bypassed the app’s protections in under two minutes. Moore’s technique involved editing the app’s shared preferences file on an Android device, removing encrypted PIN values, resetting rate limiting features, and disabling biometric authentication entirely—granting unrestricted access to existing age credentials without any advanced hacking tools. The simplicity of the exploit underscored fundamental design failures in an app intended to safeguard children’s data.

Unencrypted Biometric Data Left Exposed on Devices

Beyond the authentication bypass, independent developers uncovered additional alarming vulnerabilities in the open-source code. The app stored unencrypted copies of users’ selfies and facial biometric data directly on their devices, along with NFC identification information. These files were not automatically deleted after verification, creating persistent privacy risks if devices were lost, stolen, or accessed by malware. Technical forum discussions on Hacker News highlighted that rooted devices or malicious apps could exploit these storage flaws, extracting sensitive biometric information without users’ knowledge—an ironic outcome for a tool designed to protect minors.

The EU’s decision to publish the code openly was intended to invite scrutiny and foster trust, but it backfired spectacularly by allowing researchers to identify catastrophic weaknesses before any widespread rollout. Critics on forums like Vivaldi described the app as appearing to be “made by people with no security knowledge,” while cybersecurity outlets noted the “simple methods to bypass in minutes” contradicted the EU’s assurances of robust protection. The incident echoes previous European tech debacles, including flawed digital COVID-19 contact-tracing apps that leaked user data, reinforcing a pattern of bureaucratic overreach paired with technical incompetence.

EU Promises Fixes Amid Growing Distrust

By Friday, April 17, European Commission spokesman Thomas Regnier announced “immediate steps” to address the vulnerabilities and confirmed development of “a new version” of the app. The Commission acknowledged the system was not “bulletproof” and defended the open-source strategy as necessary for transparency and community-driven improvements. However, as of April 19, no detailed patches or updated code had been released, and the app remains unavailable for public download while revisions continue. The EU also conceded that even a fully functional app could be circumvented using VPNs or workarounds like having adults verify on behalf of minors.

The debacle carries significant implications for both EU credibility and the broader push for government-controlled digital identity systems. Short-term consequences include delays in rollout and erosion of public trust in Brussels’ ability to manage sensitive technologies. Long-term, the failure may fuel resistance to mandatory biometric data collection and invite legal challenges under the EU’s own stringent GDPR privacy regulations, especially if real-world data leaks occur. For Americans watching from across the Atlantic, the episode serves as a cautionary tale about the dangers of centralized, government-run tech solutions—particularly when unelected bureaucrats prioritize regulatory ambitions over basic security competence, putting citizens’ private information at risk in the name of “protection.”