The European Union’s new age verification app, which is designed to protect children online, can be hacked in “two minutes”, according to the boss of popular messaging app Telegram.
Pavel Durov joined cyber security experts and privacy campaigners in questioning the security of the new initiative, describing it as a “surveillance tool”.
“The EU age verification app was hackable by design – it trusted the device (that’s instant game over),” he wrote on X.
“But don’t rush to laugh at EU bureaucrats. All they needed was another excuse to erode our freedoms. This ‘surprising hack’ just handed it to them.”
The European Commission announced the new age verification app last week, claiming it would “hold online platforms accountable” and prioritise children’s safety over commercial interests.
It is designed to roll out across Europe, requiring citizens to input a recognised government ID like a passport in order to access online platforms.
Ahead of its release, European Commission President Ursula von der Leyen said the app “respects the highest privacy standards in the world” and would not reveal a user’s personal information to third party sites and services.
“Put simply, it is completely anonymous,” she said. “Users cannot be tracked.”
She also revealed that the app is fully open source, meaning anyone can check the underlying code.
This prompted security researchers to see what data it stored on a person’s device, as well as how easy it is to bypass.
In a widely shared post on X, security consultant Paul Moore claimed to have uncovered a “serious privacy issue”.
He said that the source image of the passport, ID or selfie used to collect a user’s biometric data was not encrypted and could not be properly deleted.
“Leaving the original image on disk is crazy and unnecessary,” he wrote. “I don’t think anyone disputes the need to protect children from online harm, but this really isn’t the solution.”
A spokesperson for the European Commission said that the app is technically ready for launch, but added that it is still a demo version.
“Yes, it is ready,” said chief spokesperson Paula Pinho on Friday. “Maybe we can add, ‘and it can always be improved’.”
Speaking to The Independent, European Commission spokesperson Thomas Regnier said: “Protecting minors online is a priority of the Commission... The EU age verification app is our answer to all the platforms who said there is no solution to check the ages of users accessing their services.
“The app and the features are user friendly, open-source and with the highest privacy standards based on zero knowledge proof. The app is fully privacy-preserving: when presented to an online service, the age proof simply confirms whether the user meets the age requirement.”
ChatGPT maker launches special version that is better at hacking
Why do hacks happen? How cyber attacks are changing everything
Booking.com holiday site users warned that their personal data could have been stolen
Anthropic reveals new AI that is so powerful it could break the internet
Apple has launched an urgent update because of a devastating hack
Why 2026 is the most dangerous year ever to be on the internet
