Hacking the EU Age Verification app in under 2 minutes.
During setup, the app asks you to create a PIN. After entry, the app encrypts it and saves it in the shared_prefs directory.
- It shouldn't be encrypted at all - that's a really poor design.
- It's not cryptographically tied to the vault which contains the identity data.
So, an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file and restart the app.
After choosing a different PIN, the app presents credentials created under the old profile and let's the attacker present them as valid.
Other issues:
- Rate limiting is an incrementing number in the same config file. Just reset it to 0 and keep trying.
- "UseBiometricAuth" is a boolean, also in the same file. Set it to false and it just skips that step.
Seriously von der leyen - this product will be the catalyst for an enormous breach at some point. It's just a matter of time. . Von Der Leyen "The European Age Verification app is technically ready. It respects the highest privacy standards in the world. It's open-source, so anyone can check the code..."
I did. It didn't take long to find what looks like a serious privacy issue.
The app goes to great lengths to protect the AV data AFTER collection (is_over_18: true is AES-GCM'd); it does so pretty well.
But, the source image used to collect that data is written to disk without encryption and not deleted correctly.
For NFC biometric data: It pulls DG2 and writes a lossless PNG to the filesystem. It's only deleted on success. If it fails for any reason (user clicks back, scan fails & retries, app crashes etc), the full biometric image remains on the device in cache. This is protected with CE keys at the Android level, but the app makes no attempt to encrypt/protect them.
For selfie pictures: Different scenario. These images are written to external storage in lossless PNG format, but they're never deleted. Not a cache... long-term storage. These are protected with DE keys at the Android level, but again, the app makes no attempt to encrypt/protect them.
This is akin to taking a picture of your passport/government ID using the camera app and keeping it just in case. You can encrypt data taken from it until you're blue in the face... leaving the original image on disk is crazy & unnecessary.
From a GDPR standpoint: Biometric data collected is special category data. If there's no lawful basis to retain it after processing, that's potentially a material breach.
Source: Paul Moore(Security Consultant) X/Twitter, 2.
Bypassing EU Age Verification using their own infrastructure.
I've ported the Android app logic to a Chrome extension - stripping out the pesky step of handing over biometric data which they can leak... and pass verification instantly.
Step 1: Install the extension Step 2: Register an identity (just once) Step 3: Continue using the web as normal
The extension detects the QR code, generates a cryptographically identical payload and tells the verifier I'm over 18, which it "fully trusts".
This isn't a bug... it's a fundamental design flaw they can't solve without irrevocably tying a key to you personally; which then allows tracking/monitoring.
Of course, I could skip the enrolment process entirely and hard-code the credentials into the extension... and the verifier would never know.
monyet.cc
2,374 readers0 users here now
Welcome to monyet.cc!
This site is geared towards Malaysians, but is not restricted to Malaysians or Malaysian topics. All are welcome!
Signing up is easy. No email address needed!
- Guide: Switching to Lemmy
- Info for Community-Builders
- Suggestions and Feedback
- Request for Community Post Scheduling
Rules
1)Be Nice
Just get along and respect each other and we'll be fine.
2)No Bigotry
Malaysia is a multiracial country and sometime we tend to rub shoulder with each other, sometime stuff getting heated up. Argument is fine, disagreement is fine, as long as it stay civil and no one get banned. Bigotry include but not exclusive to: Racism, Sexism, Homophobia, Transphobia, Xenophobia, and so on.
3)No Porn
Do not post, share, or distribute any pornographic material, either here or posting to other instance using account made from here. NSFW discussion(in words only) is allowed, and should be marked as NSFW.
4)No Ads & Spam
Do not spam this Instance with irrelevant shitpost or ads. If your intention of creating an account or community is to flood this place or another instance with shitpost, rage bait, or content for the purpose of cyberbullying, then it break this rule, and will be banned without warning.
All the rule above also extend to the username, community name, banner, and avatar. Your action that breach above rule on another instance will count toward violation as well.
Need Help?
Alternative UI
- alex.monyet.cc
- old.monyet.cc
- photon.monyet.cc