Hacker News
new|best

EU Age Verification Hacked in 2 Minutes: What Happened

(pasqualepillitteri.it)
18 points by bigbugbag 5 days ago|16 comments
kelseyfrog 5 days ago
For the same reason, I don't use sudo. Despite being patched, the presence of prior vulnerabilities [1] and hacks makes it fundamentally not trustworthy.

1. https://app.opencve.io/cve/?vendor=sudo_project

free_bip 5 days ago
What software are you willing to use then, considering your criteria would eliminate over 90% of OSS projects?
raxxorraxor 4 days ago
The difference is that sudo is useful. The EU age verification app however...
throwawayk7h 5 days ago
so do you just use su?
raxxorraxor 4 days ago
Just run everything as root to circumvent security problems.

Seriously, it is as if there would be a CVE because sudo allows privilege escalation.

Of course such widely spread tools should be audited and have eyes on them. On the other hand many people are tired of security strategies because half of the time it is about a platform doing it for market domination. Our thoroughly shitty mobile OS come to mind. This age verification crap isn't too different, just slightly different goals where real security isn't really considered too much.

kelseyfrog 5 days ago
No. Su also has a history[1] of vulnerabilities.

1. https://app.opencve.io/cve/CVE-2025-71263

subscribed 4 days ago
Then what, do you just work on your root account?
bigbugbag 5 days ago
How Paul Moore broke the EU age verification app in 2 minutes, the 8 confirmed vulnerabilities and the emergency patch 24 hours later. Full analysis.
GuB-42 5 days ago
It is a good exercise, but in practice, what's the big deal?

Even if the app is bulletproof, age verification will get bypassed. Account sharing, file sharing, darknets, etc... It mostly prevents kids from stumbling upon content that isn't meant for them, but it won't resist deliberate attacks for long, especially if the parents are complacent. And for that, the EU Age Verification app looks fine, especially now what the easy bugs are fixed.

bigbugbag 5 days ago
one has to understand that the point is not to protect kids, it never is, but to control online activities. also this is not an organic law, this is the result of intense lobbying by transnational corporations such as facebook, pushing hard for this and there are reports from inside the parliament that this is rushed to be release ASAP despite not being ready or properly tested.
GuB-42 5 days ago
Except that this kind of age verification is not what "transnational corporations such as Facebook" is pushing for. In fact such a system is probably the worst for them: they can't use the token for tracking, and it can make it harder for them to target children because it is likely to come with further restrictions.

What the tech giants want is OS level attestation. They want to control what you can install on your device, to me the thing to avoid at all costs. This is not it, this is an open source app that you can run anywhere.

The proposed solution is the closest you can get to one that is designed to protect kids more than to control online activities. The weakness of the system, where a determined kid can get through is a feature, not a bug! More than that and it becomes more about control and less about kids (who will get through no matter what).

I am not commenting on how necessary age verification is. Personally, I am all for a wide open internet but many people actually want to "protect the children". The argument wouldn't be used as a justification for surveillance laws if they didn't.

mrsssnake 3 days ago
> This is not it, this is an open source app that you can run anywhere

The service for EU age verification app requires Google Play Integrity API check. So as much as you "can" run the app itself anywhere, you are forced to do it on whitelisted build of an OS on a whitelisted device.

subscribed 4 days ago
These companies are pushing for it, just as far as humanely possible from them. They're not in the business of protecting kids, but in the business of the plausible deniability.

Start here: https://news.ycombinator.com/item?id=47361235

And here's from the larger organisation, from another angle: https://techoversight.org/2025/07/29/bloomberg-meta-google-l...

raxxorraxor 4 days ago
I would like my kids to be safe and that means no shitty gatekeeper app where they have to identify themselves. If a platform requires it, kid won't get access. Perhaps that is the real benefit here.
Woodi 5 days ago
Excuse me but why there are no parents in the loop ? They are first line of kids defence and best suited for that: truly biological need. Not to mention such secondary thing like law obligations. No technical system can bit that. Only make things half baked and stupid or abusive on privacy, logic and actual reality.

Kids are parents kids not some context-less socialist/bureaucracy/german invasive ideology creatures.

If you want to do inventory checking for all that future migrants generations do it like you do with actual humans and not via some outdated and hackable inferior piece of hardware.

subscribed 4 days ago
Because this is the control / surveillance grab, not the genuine child protection.

Notice how the latest mandatory age verification in iPhones in the UK has been introduced: not as a possible, easy switch one, but the default on, requiring adults to potentially deanonymise themselves. I repear: it's not something the parent could enable/lock in within a 10 seconds, it's something enabled with every adult's phone, something the kid will evade in the same way they buy tobacco or alcohol right now.

That was never about the kids. Otherwise the governments wouldn't tolerate Meta openly admitting they've been knowingly hooking up kids, knowingly worsening their mental health, or Musk's X keeping CSAM generator open while all the world's governments just grimaced and kept legitimizing it.