New EU age verification has been hacked in under 2 minutes

Found this interesting tweet at X:

Hacking the #EU #AgeVerification app in under 2 minutes.

During setup, the app asks you to create a PIN. After entry, the app encrypts it and saves it in the shared_prefs directory.

1. It shouldn’t be encrypted at all - that’s a really poor design.
2. It’s not cryptographically tied to the vault which contains the identity data.

So, an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file and restart the app.

After choosing a different PIN, the app presents credentials created under the old profile and let’s the attacker present them as valid.

Other issues:

1. Rate limiting is an incrementing number in the same config file. Just reset it to 0 and keep trying.
2. “UseBiometricAuth” is a boolean, also in the same file. Set it to false and it just skips that st@vonderleyenp.

Seriously @vonderleyen

• this product will be the catalyst for an enormous breach at some point. It’s just a matter of time.

In the tweet the guy provided a video.

source: https://x.com/Paul_Reviews/status/2044723123287666921

I’m all on the hackers side here, white or black hat. This idiocy must be laid bare as often and as publicly as they can.

Not sure why they felt the need to make their own app instead of just using already existing digital wallets.

It doesn’t serve the same purposes. If you meant the European Digital ID wallet, I am pretty sure it can connect to it, but can’t be a requirement for accessibility reasons I would say. And that’s great.

Just learned it was a demo on github but anyway.

the source image used to collect that data is written to disk without encryption and not deleted correctly

https://xcancel.com/Paul_Reviews/status/2044723123287666921

It is a vulnerability no doubt, and it should be fixed, however this app is right now in the demo/early access, and they also state that this app shall not be used for production use.
Besides that comes that this is only an issue if somebody got physical access to the unlocked rooted/jailbroken phone.
The attack vector is physical, the privileges required are also high, and the attack requirements are also present.

So I really do not see any reason blow this vulnerability out of proportion.
One thing that I’m more concerned of is that, at least in my understanding, their promotion of the Zero Knowledge Proof that should be sooo privacy respecting, is no Zero Knowledge Proof.