The EU's New Age Verification App Got Cracked in 2 Minutes

Brussels spent months hyping its new age verification app as the cornerstone of a safer internet for European kids. It shipped. Within two minutes, researchers had it wide open. The videos started circulating in mid-April, and the tech community’s reaction has been less “oh no” and more “told you so.”

Two Minutes Is Not a Number. It’s a Verdict.

The facts are embarrassingly clean. The EU’s official age verification app hit distribution, security researchers poked at it, and the bypass was trivial. MatthewNapier’s April 19 YouTube video — bluntly titled “EU’s Age Verification App Got Hacked In 2 Minutes lol” — captured the mood. A more technical teardown posted April 17 has already pulled in over 15,000 views and nearly 600 likes.

Two minutes doesn’t just mean “fast.” It means there is effectively no barrier to entry. A system built with public money, political authority, and the weight of EU law behind it folded to an attack any mid-level developer could replicate on a lunch break. That’s not a bug. That’s an architecture problem.

How Does Something Like This Even Happen

The typical age verification flow looks reasonable on paper. A user proves their age once — passport, national ID, whatever — and the app issues a token saying “this person is over 18.” Websites check the token. Access granted.

The weak point is almost always in how that token gets validated. The bypasses researchers demonstrated fall into two familiar patterns. First, token replay: a valid token issued to one user gets copied and reused across devices or accounts. Second, client-side validation: if the app trusts checks happening on the user’s own device instead of a server, a debugger and ten minutes of curiosity will get you through.

Think of it as a wristband at an amusement park — except the wristband is photocopyable, and the staff only glances at the color.

The Real Problem Isn’t the Bug. It’s the Blueprint.

Here’s the part that should concern you even if the technical flaws get patched next week. This app isn’t really about age. It’s the first production piece of an EU-wide digital identity infrastructure — a system that quietly binds every citizen’s real-world ID to their online activity. Privacy advocates have been flagging this trajectory for years, and now we’re watching it deploy in real time.

The critique you’ll find repeated across Hacker News threads, Reddit, and the comment sections on these teardown videos lands on the same irony. Governments pitch age verification as child protection. What actually gets built is a pipe that links every adult’s browsing to a state-issued identity. By design, age checking requires infrastructure that can correlate “who is visiting which site.”

And the punchline writes itself: if the system is this easy to bypass, the teenagers it’s supposed to protect will bypass it. The only people whose identities actually get logged are the law-abiding adults who use it honestly. Protection fails for the target group; surveillance succeeds on everyone else.

The UK, Australia, and the Global Pattern

This isn’t an isolated Brussels stumble. The UK’s Online Safety Act is already pushing similar age gates onto platforms operating there. Australia is mid-rollout on a ban for under-16s on social media. Across the democratic world, “prove who you are to use the internet” is being quietly reframed from dystopian fiction into public infrastructure.

Two risks keep showing up together. The first is technical immaturity — state-driven IT projects are chronically shipped on political timelines, not security timelines, and this EU launch is textbook. The second is scope creep: infrastructure installed for one purpose rarely stays there. An age-check pipe is a short jump from a content-filtering pipe, which is a short jump from a logging pipe. Ask anyone who remembers how TSA “temporary” airport measures turned out.

What This Should Actually Teach Us

The lesson here is unglamorous but important: good intentions don’t produce secure systems. Any public IT infrastructure meant for an entire population needs public security audits and independent review before shipping — not after a YouTuber embarrasses you. Two minutes to bypass is not a security result. It’s proof that process didn’t happen.

The uncomfortable question for every democracy watching this unfold is the one the EU hasn’t answered. Is it a fair trade to make every adult legible to the state online, in exchange for a child-safety measure that doesn’t actually stop children? Or is there a design where privacy and protection aren’t mutually exclusive — we just haven’t been asked to build it yet?