$2 million EU age verification app gets update, promptly bypassed for a second time
The $2 million EU age verification app is 0:2 against a guy with an AI-generated Chrome extension.

Image by Cybernews.
- Paul Moore bypassed the updated EU age verification app for the second time, using an AI-generated Chrome extension, proving recent security patches were ineffective.
- Despite a €2 million contract and continuous updates, the app remains unable to reliably perform its primary function.
- The researcher argues the app’s zero-knowledge architecture is fundamentally flawed and requires a complete redesign to prevent tampering.
The European age verification (AV) app has suffered another major blow after the same security researcher once again demonstrated a bypass using a simple Chrome extension.
The European Commission initially intended to launch national age verification apps by early 2026.
The app was unveiled in April, but Paul Moore, a security consultant, bypassed it in less than 2 minutes.
Since then, the app has received several updates, with the latest release on July 10th, 2026.
On July 13th, Ursula von der Leyen, the President of the European Commission, reiterated her commitment to protect children online and the need for age-appropriate restrictions.
“And here, our age verification app is one of the tools to get it done. It is easy to use, privacy-preserving, and open source. This is about putting power back into the hands of parents,” von der Leyen said.
The problem – after 2,411 commits in total on GitHub, it still fails to do the one job it’s supposed to do – reliably verify the age of the user.
Moore once again demonstrated how easily the app can be bypassed with a Chrome extension and claimed that anonymous age verification simply doesn’t work.
“Despite 3 months of security hardening and genuine improvements across the board, the fundamental issue cannot be solved,” Moore said in a post on X.
The app remains a work in progress, and its GitHub page warns that the demo version is being updated and the team will continue to release updates for community testing.
The app was contracted last year by the EC last year – a German-Swedish consortium signed a €2 million, 24-month contract in January 2025.
The technical specification requires that the age-gating app acts as “a digital wallet for storing a proof of age as a form of digital attestation.” The zero-knowledge solution should present the proof of age to online platforms, proving that the user is of appropriate age.
But Moore claims that his AI assistant created the bypass entirely “in a matter of minutes.”
“The verifier has ‘absolutely no information’ other than an ‘over 18’ attestation, so cannot detect malicious activity. It’s also re-presenting the same assertion over and over again... the ‘single use’ protection is client-enforced,” Moore explained.
The researcher assures that this design flaw can’t be fixed unless the entire architecture is changed to de-anonymize each session.
Moore’s video demonstrates that the EU Age Verification solution ultimately accepts credentials presented from the Chrome extension.
The bypass proof-of-concept requires no passport scans, face matches, or device binding. The same forged software key can be reused multiple times.
The whole model is built on the trust that the client app won’t be tampered with, which can only be achieved through Google Play integrity or hardware attestation – it would break the “zero-knowledge” requirement and depend on big tech gatekeeping.
Cybernews has already reported that a growing number of countries in the EU and around the world are cracking down on online harms to children.
EU lawmakers previously passed a resolution to impose social media age limits, proposing bans for children under 13 and parental consent requirements up to age 16.