A few weeks ago, Ursula von der Leyen presented the European age verification app for social media; 24 hours later, a simple consultant took it down.
Industry & EmploymentEuropean Union
- Error detected
- The claim that the consultant 'took down' the app is misleading: the app was not disabled, removed from service, or rendered inoperative. A security bypass was demonstrated, and the app continued to operate.
- Omissions
- The claim says the app was 'taken down' (la faisait tomber), implying it was disabled or removed from service. In reality, Paul Moore demonstrated a bypass of the age verification mechanism — the app continued to function and was patched.
- The MEP describes Paul Moore as a 'simple consultant,' downplaying his expertise as an established security researcher. The bypass exploited publicly visible source-code vulnerabilities, not a sophisticated zero-day attack — which is relevant context but does not make him a 'simple' or unqualified actor.
- The EU age verification app was presented as 'technically ready' but not yet rolled out to citizens; it was still in a pre-release or early-access phase when the vulnerabilities were found.
- The session date is 19 May 2026, approximately five weeks after the 15 April announcement. The MEP's 'a few weeks ago' is loosely accurate but imprecise.
- Sources
- PrimaryEuropean Commission — Press CornerStatement by President von der Leyen with Executive Vice-President Virkkunen on the digital age verification app. The press statements were delivered on 15 April 2026, announcing that the European age verification app is technically ready.
- SecondaryPoliticoReports that von der Leyen said 'Our European age verification app is technically ready' and will 'soon' be 'available for citizens to use.' Confirms the app announcement by the Commission President.
- SecondaryEU PerspectivesReports that on 16 April 2026, UK-based security consultant Paul Moore published a video showing a full bypass of the EU age verification app's authentication in under two minutes, approximately 24 hours after von der Leyen's 15 April presentation.
- SecondaryProton BlogConfirms that 'By Thursday [16 April 2026], security consultant Paul Moore had bypassed the app's protections in under two minutes.' Notes vulnerabilities were identified and the app received an emergency patch, not taken offline.