Brussels launched an age checking app. Hackers took 2 minutes to break it

Posted by axbyte 1 day ago

Brussels launched an age checking app. Hackers took 2 minutes to break it(www.politico.eu)

255 points | 160 commentspage 2

gorgoiler 9 hours ago|

This all feels a bit like letting children into a nightclub and then needing to see ID every time you buy a drink.

RobertoG 8 hours ago||

Right? It seems to me that the filter should be at the device level by the parents.

Cthulhu_ 2 hours ago||

What if they use someone else's device though? Or circumvent the filter? Come on, this is Hacker News, "we" circumvent guardrails because we can and because we know no security is perfect, often from a young age.

I love how a lot of the "this is the parents' responsibility" opinion-havers don't seem to remember what it was like to be a kid themselves and / or don't have kids of their own.

crimsoneer 6 hours ago||

... isn't this how most bars/pubs work?

RobertoG 3 hours ago|||

The metaphor still works, minors in pubs are, presumably, under the supervision of their parents, otherwise they have not business being there in the first place.

Cthulhu_ 2 hours ago||

That's a big "presumably", lots of teenagers go out you know.

nikolay 16 hours ago||

They didn't launch an app per se - they've released the source code of such app. So, let's be more precise on the terminology, please!

dlahoda 5 hours ago||

Why it needs documents? From video of liveness check it clearly visible that 35 years old bearded man is over 18.

throw_await 7 hours ago||

The EU let Ursula von der Leyen say a lot of false statements about this https://netzpolitik.org/2026/gesichtsscan-und-handy-zwang-vo...

ahartmetz 7 hours ago|

She is basically a human bullshit generator whose goal function is attaining power.

akabalanza 1 day ago||

If my kids cannot change a boolean into a json, they do not deserve the [redacted]

mghackerlady 16 hours ago|

I don't work with json very often, and this is probably a joke, but how would that even work?

testaccount28 13 hours ago||

op meant "in" not "into"

PowerElectronix 2 hours ago||

Another day, another story about how far behind the EU is in tech.

nalekberov 14 hours ago||

The title seems totally misleading.

The app still hasn’t launched. There’s only so long you can run on hype before you lose the readers you were trying to win over.

atoav 6 hours ago||

It would be possible to implement age verification in a way that would somewhat work and that would be to use the correct crypto on an government issued ID card. Crypto where the OS (or a website) can ask the card: "Is the holder of that card over X years old y/n?" and the card would just answer with a binary yes no question without exposing any other data while still checking the government signature.

Obviously that won't stop motivated teens from taking their parents ID cards or similar mechanisms. Thst means any system that likes to prevent that needs to additionally ensure the identity of the card holder. And then you create a privacy nightmare.

So my proposal would be to accept that nothing is ever perfect and just use the card and ensure that system works as well as it could.

Of course "card " is a standin for all manner of hardware that can do it, including phones.

anticrymactic 2 hours ago||

> Crypto where the OS (or a website) can ask the card: "Is the holder of that card over X years old y/n?" and the card would just answer with a binary yes no question without exposing any other data while still checking the government signature.

This is the same as "What's the card holders age" by simply binary searching for it. A better way would be:

1. Have the card define the countries age access levels. (Example in Germany: >=16 [Beer/Wine], >=18 everything else)

2. The app can only ask: "Is [BEER] allowed for the card holder y/n?

This makes it immediately cross-legislative and protects the exposed data from meta analysis.

Edit: This would allow for self exclusion too. Make it possible for individuals to give up access to gambling/alcohol/tabacco/porn nationally.

Cthulhu_ 2 hours ago||

in the Netherlands we have a better system called iDIN; it works like doing an online payment (iDeal / WERO):

* Website asks for age verification * User is redirected to their bank * Bank asks the user to log in - username/password, 2fa, bank app (whose login is behind the device's security and a secondary verification like PIN code or biometrics) * Bank tells the requester that the user is 18+, no more

This leverages a trusted party (your bank, which is subject to heavy IT security regulation and audits) and you need to show ID to open an account anyway), secrets only you know (and your kids can't easily take), phone security systems, etc. Does not require uploading ID to a 3rd party, does not require changing how IDs work, etc.

ChrisArchitect 22 hours ago||

Previously on source: https://news.ycombinator.com/item?id=47803773

James_K 15 hours ago|

The “hack” in question is pointing out that the app forgets to delete images of the user's face and ID (stored). A lot of people have pictures of their face already on the phone, and often their ID as well so this is hardly a security flaw in any real sense.

philipallstar 4 hours ago|

"Lots of people choose to keep their key under their mat, so our lock not stopping anyone is hardly a security flaw in any real sense".

James_K 3 hours ago||

But it's not “lots of people,” it's everyone. Everyone has a picture of their face on their phone. And the information is encrypted because phones use disk encryption by default. “Someone can get a photo of your face and passport if they have full unencrypted access to your phone's hard drive” is like saying “someone could turn off your alarm and make you late for work if they break into your house.” There are simply bigger concerns in that situation.

More comments...