Researcher Claims Bypass of EU Age Verification App Using Chrome Extension

Researcher Claims Bypass of EU Age Verification App Using Chrome Extension










Security researcher Paul Moore has once again exposed critical weaknesses in the EU’s flagship age verification system, this time by bypassing the latest app release (version 2026.07-1) using a Chrome extension powered by ClaudeAI.

The proof-of-concept shows that, despite months of “security hardening,” a fundamental design flaw in the anonymous age verification model still allows reusable over‑18 attestations without tying them to a real user identity.

In a newly published video on X, Paul demonstrates how the updated EU age verification app can be tricked into repeatedly accepting the same “over 18” token in the browser, without any fresh verification or identity linkage.

Instead of attacking the cryptography or breaking server-side checks, the Chrome extension intercepts and replays the anonymous age proof whenever a site requests age verification, effectively reusing a single successful attestation across multiple sessions.

Because the app is designed to confirm only that a user is above a certain age while deliberately withholding personal information, the relying website never knows whether the proof belongs to the person actually at the keyboard. This separation between age assertion and user identity becomes the core weakness the extension exploits.

At the heart of the issue is the EU’s policy goal: “privacy-preserving” age checks that do not share names, IDs, or other sensitive data with websites. Technically, this translates into an anonymous attestation model, where the verifier receives a binary statement such as “user is over 18” rather than a full identity profile.

Paul’s bypass shows that, in practice, this anonymity prevents robust binding between the attestation, the user, and the specific session. If a single valid over‑18 token can be captured and replayed, the system cannot distinguish legitimate use from abuse.

The result is a situation where any technically capable user or a malicious actor can effectively turn one genuine verification into a generic “adult access pass” for multiple sites and contexts.

EU officials have claimed that the app has undergone three months of security improvements, including better storage of secrets and hardened client-side protections.

Yet Paul said that incremental patches cannot solve the underlying architectural problem: the trust model still hinges on anonymous, reusable proofs with limited context and weak resistance to replay or automation.

From a security engineering standpoint, this is less a “bug” and more a structural mismatch between privacy requirements and enforcement needs.

For website operators preparing for EU age verification mandates, Paul’s work is a warning that relying solely on the official app may not deliver the intended protection.

Attackers do not need zero-day exploits or complex malware; they can leverage browser automation and extension logic to bypass policy controls at the integration layer.

Attackers Move in Seconds. Defenses Take Hours! Blackpoint Built the Answer – Attend a Free Webinar on AI SOC Agent to contain a live attack.

The post Researcher Claims Bypass of EU Age Verification App Using Chrome Extension appeared first on Cyber Security News.






Guru Baran





Go to cyber-security-news





Posted

in

,

by