https://www.politico.eu/article/eu-brussels-launched-age-checking-app-hackers-say-took-them-2-minutes-break-it/
Article
-
Brussels published source code for eIDAS-based age verification app ahead of launch.
-
Researchers found a boolean flag in JSON could bypass age check entirely.
-
App uses zero-knowledge proofs to avoid disclosing identity to websites.
-
Title misleading: app wasn’t launched yet — source code review found the flaw.
Discussion
-
Title disputed: source code was published, not a live app — flaw found pre-launch.
-
‘Nephew attack’ debated: sharing a verified phone can’t realistically be prevented by any app.
-
eIDAS ZKP architecture praised; the implementation bug is separate from the protocol design.
-
Commenter quip: ‘If my kids cannot change a boolean in a JSON, they don’t deserve it.’
Discuss on HN
