{"id":14314,"date":"2026-07-15T10:03:41","date_gmt":"2026-07-15T10:03:41","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/15\/researcher-claims-bypass-of-eu-age-verification-app-using-chrome-extension\/"},"modified":"2026-07-15T10:03:41","modified_gmt":"2026-07-15T10:03:41","slug":"researcher-claims-bypass-of-eu-age-verification-app-using-chrome-extension","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/15\/researcher-claims-bypass-of-eu-age-verification-app-using-chrome-extension\/","title":{"rendered":"Researcher Claims Bypass of EU Age Verification App Using Chrome Extension"},"content":{"rendered":"<p>    Researcher Claims Bypass of EU Age Verification App Using Chrome Extension<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">Security researcher Paul Moore has <a href=\"https:\/\/cybersecuritynews.com\/eus-age-verification-app\/\" target=\"_blank\" rel=\"noreferrer noopener\">once again exposed critical weaknesses<\/a> in the EU\u2019s flagship age verification system, this time by bypassing the latest app release (version 2026.07-1) using a Chrome extension powered by ClaudeAI.<\/p>\n<p class=\"wp-block-paragraph\">The proof-of-concept shows that, despite months of \u201csecurity hardening,\u201d a fundamental design flaw in the anonymous age verification model still allows reusable over\u201118 attestations without tying them to a real user identity.<\/p>\n<p class=\"wp-block-paragraph\">In a newly published video on X, Paul demonstrates how the updated EU age verification app can be tricked into repeatedly accepting the same \u201cover 18\u201d token in the browser, without any fresh verification or identity linkage.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-x wp-block-embed-x\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-x\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Bypassing the latest <a href=\"https:\/\/x.com\/hashtag\/EU?src=hash&amp;ref_src=twsrc%5Etfw\">#EU<\/a> <a href=\"https:\/\/x.com\/hashtag\/ageVerification?src=hash&amp;ref_src=twsrc%5Etfw\">#ageVerification<\/a> app (2026.07-1) with a Chrome extension\u2026 again.<\/p>\n<p>Despite 3 months of security hardening and genuine improvements across the board, the fundamental issue cannot be solved.<\/p>\n<p>Anonymous age verification doesn&#8217;t work. <a href=\"https:\/\/t.co\/NSfvuQAeXz\">https:\/\/t.co\/NSfvuQAeXz<\/a> <a href=\"https:\/\/t.co\/hwRTxiZiwZ\">pic.twitter.com\/hwRTxiZiwZ<\/a><\/p>\n<p>\u2014 Paul Moore \u2013 Security Consultant \uea00 (@Paul_Reviews) <a href=\"https:\/\/x.com\/Paul_Reviews\/status\/2077029355587334526?ref_src=twsrc%5Etfw\">July 14, 2026<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.x.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/div>\n<\/figure>\n<p class=\"wp-block-paragraph\">Instead of attacking the cryptography or breaking server-side checks, the Chrome extension intercepts and replays the anonymous age proof whenever a site requests age verification, effectively reusing a single successful attestation across multiple sessions.<\/p>\n<p class=\"wp-block-paragraph\">Because the app is designed to confirm only that a user is above a certain age while deliberately withholding personal information, the relying website never knows whether the proof belongs to the person actually at the keyboard. This separation between age assertion and user identity becomes the core weakness the extension exploits.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-x wp-block-embed-x\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-x\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Notes:<br \/>This PoC was created entirely by <a href=\"https:\/\/x.com\/hashtag\/ClaudeAI?src=hash&amp;ref_src=twsrc%5Etfw\">#ClaudeAI<\/a> in a matter of minutes.<br \/>Don&#8217;t focus on enrolment (that part is invalid in a test environment). Instead, focus on the presentation and the fact the verifier has *absolutely no information* other than an &#8220;over 18&#8221; attestation, so\u2026<\/p>\n<p>\u2014 Paul Moore \u2013 Security Consultant \uea00 (@Paul_Reviews) <a href=\"https:\/\/x.com\/Paul_Reviews\/status\/2077029358221332892?ref_src=twsrc%5Etfw\">July 14, 2026<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.x.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/div>\n<\/figure>\n<p class=\"wp-block-paragraph\">At the heart of the issue is the EU\u2019s policy goal: \u201cprivacy-preserving\u201d age checks that do not share names, IDs, or other sensitive data with websites. Technically, this translates into an anonymous attestation model, where the verifier receives a binary statement such as \u201cuser is over 18\u201d rather than a full identity profile.<\/p>\n<p class=\"wp-block-paragraph\">Paul\u2019s bypass shows that, in practice, this anonymity prevents robust binding between the attestation, the user, and the specific session. If a single valid over\u201118 token can be captured and replayed, the system cannot distinguish legitimate use from abuse.<\/p>\n<p class=\"wp-block-paragraph\">The result is a situation where any technically capable user or a malicious actor can effectively turn one genuine verification into a generic \u201cadult access pass\u201d for multiple sites and contexts.<\/p>\n<p class=\"wp-block-paragraph\">EU officials have claimed that the app has undergone three months of security improvements, including better storage of secrets and hardened client-side protections.<\/p>\n<p class=\"wp-block-paragraph\">Yet Paul said that incremental patches cannot solve the underlying architectural problem: the trust model still hinges on anonymous, reusable proofs with limited context and weak resistance to replay or automation.<\/p>\n<p class=\"wp-block-paragraph\">From a security engineering standpoint, this is less a \u201cbug\u201d and more a structural mismatch between privacy requirements and enforcement needs.<\/p>\n<p class=\"wp-block-paragraph\">For website operators preparing for EU age verification mandates, Paul\u2019s work is a warning that relying solely on the official app may not deliver the intended protection.<\/p>\n<p class=\"wp-block-paragraph\">Attackers do not need zero-day exploits or complex malware; they can leverage browser automation and extension logic to bypass policy controls at the integration layer.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 87%,rgb(169,184,195) 100%)\"><strong>Attackers Move in Seconds. Defenses Take Hours! Blackpoint Built the Answer \u2013 <\/strong><a href=\"https:\/\/blackpointcyber.com\/webinar\/webinar-blackpoint-ai-a-decade-in-the-making\/?utm_source=3s_cybersecuritynews&amp;utm_medium=&amp;utm_campaign=26q3_webinar_blackpoint-ai-a-decade-in-the-making&amp;utm_content=&amp;utm_term=\"><strong>Attend a Free Webinar<\/strong><\/a><strong> on AI SOC Agent to contain a live attack.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/researcher-bypass-of-eu-age-verification\/\">Researcher Claims Bypass of EU Age Verification App Using Chrome Extension<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/researcher-bypass-of-eu-age-verification\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researcher Claims Bypass of EU Age Verification App Using Chrome Extension Security researcher Paul Moore has once again exposed critical weaknesses in the EU\u2019s flagship age verification system, this time by bypassing the latest app release (version 2026.07-1) using a Chrome extension powered by ClaudeAI. The proof-of-concept shows that, despite months of \u201csecurity hardening,\u201d a [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63],"tags":[130],"class_list":["post-14314","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14314"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14314"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14314\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14314"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14314"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14314"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}