In the middle of the week, the EU announced that he already had his tool ready to verify age on the internet. It put on the table a solution to prove identity when accessing online services, and finally unify a control method for minors. In just 48 hours someone has already hacked the application, but there is a trick.
what has happened. Paul Moorecybersecurity consultant, shows in X the vulnerabilities of the app that the European Union promised to have ready. Specifically, the app asks us to create a PIN of four to six digits to protect our identity. A pin in theory encrypted and saved in a file.
Moore has discovered that, at least in the version of the app that he has been able to test, the encryption PIN can be deleted from the file and the previously configured profile can be entered. In other words, you just need to delete a line of code to access the data.
What is the error. The app, despite the fact that the EU indicates that it was already ready, currently does not encrypt this PIN. Nor are the credentials linked to a specific PIN so that, if someone tries to change or delete it, our data cannot be accessed.
He also points out that, at least right now, the app trusts too much data to an editable file. If an attacker accesses it, it is quite easy for them to bypass the app’s layers of protection and use someone else’s identity. It ends by showing how the obligation to use biometrics is a boolean variable (true or false), modifiable by changing “false” and “true” in the editable file.
Why is there a trick. There is a distance from saying to doing, and the European Union has launched a triple by ensuring that its app “is now ready.” The version to which the consultant has had access is not the final one, it is a demo version in which the security layers have not yet been added. Beyond being minor bugs, they are structural errors that should not even be present in an initial version.
The controversy arises when Ursula von der Leyen assures that the app is “technically ready”, presents it at a press conference, and hours later it is learned that it is still in the testing phase.
Why is it important. Despite being a pre-production version, the hack helps us get an idea of the app’s operation and interface, as well as the possible limitations it may have at the security level. In fact, it would not be the first time that an app from the EU or the Spanish administration has had serious security incidents.
On January 30 of this year, the European Commission detected signs that its mobile device management platform (in which it stores data on its employees) had been compromisedand Radar COVID was born in Spain without complying with the RGPD.
What has tipped us off. The initial version of the age verification app shows us a simple interface in which, after entering the PIN, we have three verification methods.
- Through our ID
- By passport
- Using a QR code
The app has four sections: welcome, consent, security (PIN) and verification. The app developers will be responsible for integrating this European solution into their apps and, despite Von der Leyen’s fervor, there is still no date for its arrival.
In Xataka | Is it time to end anonymity? The arguments for and against the pillar on which the internet has been built
GIPHY App Key not set. Please check settings