The European Commission has introduced an age verification app that claims full anonymity, but just two days after its release, a security expert demonstrated the possibility of bypassing the protection, which provoked a sharp reaction from Telegram's head Pavel Durov.
Application with a focus on privacy
On April 14, 2026, the European Commission published an official statement about the launch of an application for verifying users' age online. According to the description, the tool allows age verification without disclosing additional personal data. Users can download the application, set it up using a passport or ID card, and then confirm their age when accessing online platforms.
Developers emphasize the key features of the solution:
full anonymity without the possibility of tracking user actions;
support for all types of devices — smartphones, tablets, and computers;
open source code, available for review and improvement;
integration with national digital wallets.
France, Denmark, Greece, Italy, Spain, Cyprus, and Ireland have already announced plans to implement the technology in their systems. At the same time, other countries and online platforms have also been given the opportunity to use this solution.
Architectural vulnerability
On April 16, cybersecurity expert Paul Moore demonstrated a way to bypass the application's protection. In the published analysis, he showed that it is sufficient to access the shared preferences file on the device to remove the values of the encrypted PIN code, reset the login attempt counter, and disable the requirement for biometric authentication.
After performing these actions and restarting the application, the user can set a new PIN code and access the already verified age data. Moore emphasized that this is a demonstration version — the so-called reference implementation, intended for testing and adaptation by developers in EU countries.
However, the key conclusion of the expert is that the problem is not a random implementation error. According to him, the vulnerability is embedded in the architecture itself, as the system trusts the user's device, which opens up possibilities for manipulation at the local level.
Pavel Durov's reaction
On April 17, Telegram head Durov criticized the situation on the social network X. In his message, he stated: "The age verification application that the EU wants to impose on the world was hacked in two minutes."
In the next post, he added that the problem is fundamental: the system initially trusts the user's device, which makes it vulnerable at the architectural level.
Durov also outlined a possible scenario for the development of the situation:
presentation of a solution with declared privacy protection, but with vulnerabilities;
public hacking of the system;
revision of the architecture with a reduction in the level of privacy under the pretext of enhancing security.
In his opinion, the outcome could be a surveillance tool that will be positioned as a solution that respects user privacy.
#Telegram #Durov #Privacy #Write2Earn
