Security researcher Paul Moore has revealed a significant vulnerability in the European Union’s age verification application. By using a Chrome extension powered by ClaudeAI, Moore demonstrated how to bypass the app’s security features, casting doubt on the efficacy of the EU’s privacy-centric age verification measures.
Exposing the App’s Design Flaw
The EU’s age verification system, touted for its ‘privacy-preserving’ design, is intended to confirm user age without sharing personal data. However, Moore’s proof-of-concept highlights a fundamental flaw: the system allows the reuse of over-18 attestations without linking them to a specific user identity.
In a video shared on X, Moore illustrated how the app can be deceived into repeatedly accepting a single ‘over 18’ token. This token can be reused across multiple sessions, circumventing the need for fresh verification each time.
Technical Vulnerabilities and Exploitation
Rather than attacking the cryptographic integrity of the system or server-side checks, Moore’s method involves a Chrome extension that intercepts and replays the age attestation. This loophole means that once an attestation is obtained, it can be leveraged repeatedly without further validation.
The app’s emphasis on privacy by withholding personal information inadvertently creates a security gap. Websites relying on the app cannot verify the attestation’s linkage to the current user, allowing the extension to exploit this separation between age assertion and user identity.
Implications for Privacy and Security
The EU’s policy aims to protect user privacy by ensuring age checks do not involve personal data. However, Moore’s findings suggest that this approach ultimately undermines the system’s reliability. The app’s design allows a single valid token to be captured and reused, turning it into a versatile ‘adult access pass.’
Despite claims of security enhancements over recent months, Moore argues that these tweaks cannot resolve the system’s inherent design flaws. The reliance on anonymous, reusable proofs lacks the context needed for effective enforcement and remains susceptible to replay or automation attacks.
For website operators subject to EU age verification requirements, Moore’s research serves as a cautionary tale. It underscores the need for more robust verification methods beyond the official app, which fails to deliver the expected level of protection against potential abuse.
