HN

Need help?
<- Back
Brussels launched an age checking app. Hackers took 2 minutes to break it

Brussels launched an age checking app. Hackers took 2 minutes to break it

axbyte

Comments (75)

  • Sweepi
    These are the sources cited by the article:[1] https://xcancel.com/Paul_Reviews/status/2044502938563825820[2] https://xcancel.com/paul_reviews/status/2044723123287666921[3] https://csa-scientist-open-letter.org/ageverif-Feb2026| "The saga is turning into a PR disaster for Brussels. "imo: mostly because the Author wants it be a disaster.The App has not launched, they published the source code in order to invite external review. I dont have time to every claim, but e.g. this [see quote below] seems to be blown out of proportions to me - the app fails to delete a temp. image, which results in a selfie being stored indefinitely(?) on the internal disk of your device - if an adversary has access to the internal disk of my phone, they can also just access the photo roll."For selfie pictures:Different scenario. These images are written to external storage in lossless PNG format, but they're never deleted. Not a cache... long-term storage. These are protected with DE keys at the Android level, but again, the app makes no attempt to encrypt/protect them.This is akin to taking a picture of your passport/government ID using the camera app and keeping it just in case. You can encrypt data taken from it until you're blue in the face... leaving the original image on disk is crazy & unnecessary."
  • JimDabell
    Note that this is an implementation of eIDAS:https://www.eudi-wallet.eu/The point of this is that you can use the credentials on your phone to prove that you are an adult to a website using zero-knowledge proofs to avoid disclosing your identity to anybody.If somebody who has access to your unlocked phone can access the data in the app, then this is something that should be tightened up but it’s a substantial privacy improvement over the far more commonplace option of uploading your ID to every website that wants to know if you are an adult.It’s an attempt to avoid things like this:> Discord says 70k users may have had their government IDs leaked in breach (Oct 2025, 435 comments) - https://news.ycombinator.com/item?id=45521738
  • Teafling
    The title of the original article seems wrong, they didn't launch the app, they published the source code ahead of the launch.
  • runnkos
    1. Devs forgot to delete images in some failed scenarios. Images that do not get sent anywhere and remain locally. In an open source app that anyone can point calmly to the bug and it will get fixed easily.2. "an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file"... Any android developer knows that to access the shared prefs file you need ROOT access on the phone, which is impossible on the stock os. Rooting the phone requires advanced knowledge. It means deliberately nuking your phone security, which most likely will require factory resetting the phone in the process. Or a hacker would need to use a sophisticated exploit, maybe even 0day, to access an app that would allow him to log in on some adult sites. Sounds reasonable (no).So, the guy found two very superficial problems in a early demo app. Does not even look at the important code with the actual implementation of the zero knowledge proof cryptography, as it is way above his skill level. Throws malicious allegations mixed with blatant lies. Cries for attention to the whole internet and it gets augmented by news and people who understand security and technology even less than him. He dares calling it "hacking" in under 2 minutes. That's just disgusting.He even calls himself "Security Consultant". Lord have mercy on whoever is going to work with him.
  • nikolay
    They didn't launch an app per se - they've released the source code of such app. So, let's be more precise on the terminology, please!
  • akabalanza
    If my kids cannot change a boolean into a json, they do not deserve the [redacted]
  • nalekberov
    The title seems totally misleading.The app still hasn’t launched. There’s only so long you can run on hype before you lose the readers you were trying to win over.
  • James_K
    The “hack” in question is pointing out that the app forgets to delete images of the user's face and ID (stored). A lot of people have pictures of their face already on the phone, and often their ID as well so this is hardly a security flaw in any real sense.
  • ChrisArchitect
  • anon
    undefined
  • soco
    "Let’s say I downloaded the app, proved that I am over 18, then my nephew can take my phone, unlock my app and use it to prove he is over 18." - and how is that something that could, or should, be addressed by the app? Are we even serious??
  • appz3
    [dead]
  • 08627843789
    [dead]
  • close04
    On top of the pretty bad article, HN finds the “can’t win” scenario again. There’s no age verification scheme that will survive “collusion”, that’s when the adult allows the minor to use validated credentials, devices, etc. And whatever more intrusive age verification schemes we come up with will also fail this but add the intrusiveness to ruffle even more HN feathers. We can have the constant face, fingerprint and DNA scan for as long as the sensitive apps is used. Everything gets stored on a central server for safety so your kid can’t hack the device and replace the reference sample. /s> "Let’s say I downloaded the app, proved that I am over 18, then my nephew can take my phone, unlock my app and use it to prove he is over 18."Love the magic step in the middle, unlock my app. Ask for passcode or faceid to “unlock your app”. That’s a lot of legwork the adult has to do so the child can “trick” the system.Some people will forever be shocked that if they leave on the table an open booze or medicine bottle, loaded gun, etc. a child can just take them and misuse them. The blame is unmistakably with bottle and gun manufacturers, right?Put a modicum of effort to protect the sensitive apps or supervise the child when you share your device. They can do a lot of damage even with age appropriate apps. Wanna see how quickly your kid will tell everyone on the net how much money you have (via proxies), where you live, and when you go on vacation? Or tell someone the credit card number they swiped from your pocket if the other person makes it sound like a game?
  • mrweasel
    > "Let’s say I downloaded the app, proved that I am over 18, then my nephew can take my phone, unlock my app and use it to prove he is over 18."While I appreciate the zero-knowledge proofs is considered, how the hell did no one in charge of the app design think of this? It's is literally the first question I asked when I first heard about this app. You go to the app in a store to buy alcohol, you're asked to verify your age, but that's not what you're doing. Your simply showing the store that you have a phone, with and app, which was configured by some over 18 (maybe).Honestly I don't think it's possible to verify that you're over 18 without also providing something like a photo ID (and even that is error prone).You can probably do something online, where the website or app does some back channel communication to a server that verifies a token. Even that is going to have issues. You could add a "List of sites that has verified your age" option where you can revoke the verification, in case your nephew borrows your phone.They are going to implement this and it will be "good enough", but I don't see this being 100% secure or correct.