April 20, 2026
Ready, set… hack?
Brussels launched an age checking app. Hackers took 2 minutes to break it
EU says it’s ready, hackers say “2 minutes”; comments roast the “nephew exploit”
TLDR: EU age-check code called “technically ready” drew instant hacks and mockery; Brussels said it was a demo and fixed, while researchers insisted they used the latest. Comments split between privacy defenders and skeptics roasting the “nephew with your phone” scenario, all warning trust in EU digital IDs is on the line.
The EU rolled out code for an age-checking app and called it “technically ready.” The internet replied: hold my beer. Within hours, security folks claimed they cracked it in minutes and found that sensitive info wasn’t properly protected. Brussels then insisted it was just a demo, but experts shot back: we tested the latest code. Cue chaos, memes, and a full-blown comment war.
Community sleuths split into camps. One camp says the headline is misleading: they didn’t launch an app, they released source code early. Another camp is facepalming at design choices, joking about the “nephew exploit” — the idea that a kid could grab your unlocked phone and sail past checks. Privacy defenders remind everyone this is tied to EUDI Wallet under EU eIDAS rules (the EU’s digital ID framework) and uses “zero-knowledge” tech — basically, you prove you’re over 18 without revealing who you are. That drew nods, but critics fired back: fancy math doesn’t fix sloppy basics.
The comment section turned theatrical. People joked it was “Schrödinger’s app” — somehow “final” and “demo” at the same time. Others quipped it’s “technically ready… if you don’t touch it.” Calls to publish full security audits before any launch got loud. The stakes? Trust in future digital IDs and whether the EU can protect kids online without breaking privacy — or its own PR.
Key Points
- •The European Commission unveiled open-source code for an online age-verification app, described as “technically ready.”
- •Security researchers quickly reported vulnerabilities, including unprotected data storage and bypassable biometric authentication.
- •The Commission said the public code is a demo version, fixes were applied, and further updates will follow; final app is not yet available to citizens.
- •Researchers Paul Moore and Olivier Blazy disputed the Commission’s claim, saying they tested the latest code online.
- •The episode highlights wider EU efforts and divisions over online age checks, with European leaders coordinating on policies to protect minors.