The EU’s age verification app can be hacked in 2 minutes. (Found by Paul Moore)
Demo :
https://youtu.be/1hfDOhrNx1I
In short :
- The pin you set to lock the app is encrypted, not hashed, which means with the private key of the app it could be reversed (there’s no need to get that as you’ll see in the next points
- Once you verify your age, the pictures and data identifying you is not deleted. Although on regular phones you and other apps can’t access it as they are protected at the Android level, this is still a breach of GDPR
- The app’s data is stored in a shared preferences file, which is pretty much just plain text. If you delete the key for your PIN, the app will let you create a new one, and still access the data of the old account.
- Nevertheless, the EU still brands it as a privacy friendly option on their site at https://t.ly/labwF
In short, don’t verify your age online! This is really bad for privacy!
@privacy
#privacy #europe #opensource #cybersecurity #ageverification
This is the 20ies post I see about this.
And the 10th times I will say it:
This is a prototype release. This is not a production ready release. It demos the integration. Each country will build their own app.
@vapeloki While this is a prototype release, yes, it shows they don’t have user privacy at the core of their product despite what the branding seems to imply.
Usually prototypes comes with missing features, but right now the features are in a state with fundamental security flaws and they’d almost need to rebuild a whole app to fix that. Usually a prototype is to prove that a concept works, not how insecure it is.
Also, besides that, the president of the EU commission publicly stated that the app is production ready with the world’s best security standards. See https://xcancel.com/vonderleyen/status/2044340323120193595#m . I don’t think this would get posted if they thought that the app’s security infrastructure was broken and that this is just a prototype 🫤
