The European Commission’s age verification app has been bypassed for a second time by the same security researcher who exposed flaws in the original release earlier this year. According to researcher Paul Moore, recent security updates failed to address the application’s underlying design issues, allowing him to circumvent its protections using an AI-generated Chrome extension.
Moore said the latest version introduced additional protections, including encrypted preferences and root detection, but argued these measures only hardened the application against basic attacks without fixing what he described as a fundamental architectural weakness. In a demonstration published online, he showed how the app could still be manipulated to produce successful age verification results.
The researcher contends that the system places too much trust in software running on the user’s own device, making it vulnerable to tampering. He argues that attackers can modify the application’s behavior before verification data is transmitted, rendering many local security controls ineffective. Moore said the issue cannot be fully resolved through incremental patches and would instead require a redesign of the verification model.
The findings come just months after Moore demonstrated that an earlier version of the application could be bypassed in less than two minutes. Following that disclosure, the European Commission released updates intended to strengthen the app’s security and said it welcomed feedback from the cybersecurity community as development continued.
The age verification app is being developed as part of the European Union’s broader effort to protect minors online while preserving user privacy. The system is designed to allow users to prove they meet minimum age requirements without revealing unnecessary personal information and is intended to serve as a temporary solution before the rollout of the EU Digital Identity Wallet.
The European Commission has not publicly responded to Moore’s latest demonstration. It has previously stated that the project remains under active development and that improvements will continue before wider deployment. At this stage, there is no indication that the Commission plans to suspend the initiative, despite renewed criticism from security researchers who argue that its architecture should be reconsidered.
