The EU’s age verification app can be hacked in 2 minutes. (Found by Paul Moore)
Demo :
https://youtu.be/1hfDOhrNx1I
In short :
- The pin you set to lock the app is encrypted, not hashed, which means with the private key of the app it could be reversed (there’s no need to get that as you’ll see in the next points
- Once you verify your age, the pictures and data identifying you is not deleted. Although on regular phones you and other apps can’t access it as they are protected at the Android level, this is still a breach of GDPR
- The app’s data is stored in a shared preferences file, which is pretty much just plain text. If you delete the key for your PIN, the app will let you create a new one, and still access the data of the old account.
- Nevertheless, the EU still brands it as a privacy friendly option on their site at https://t.ly/labwF
In short, don’t verify your age online! This is really bad for privacy!
@privacy
#privacy #europe #opensource #cybersecurity #ageverification
I don’t say the code isn’t sloppy and should never go live I. It’s state.
I say: show me the app on the app store that you can download and use.
We are talking about security issues in a reference implementation.
We are not talking about an app. All this does is to spread fear and if this whole thing is not accepted by the Public because of this , what then? We land up in a privatisation scenario once again and then fuck privacy.
This state of the Codebase is fixable, but stop talking about it like it would be a released app. It is not.