European task Kids Walletdesigned to verify the property of users connected the Internet, was astatine the halfway of a ungraded aft cybersecurity experts revealed serious vulnerabilities astir instantly aft his presentation.
Despite the statements of the caput European Commission Ursula von der Leyen that the instrumentality “technically ready”experts were capable to hack the system within minutes of publishing the source code.
What experts found
According to a Politico investigation, cybersecurity advisor Paul Moore gained entree to vulnerabilities successful little than two minuteshaving discovered the storage of delicate information without sufficient protection.
Other experts pointed retired further problems:
- bypass capableness biometric authentication,
- using an adult’s instrumentality to simulate age,
- limited system ratio when used VPN.
Thus, adjacent the basal task – reliable property verification – not guaranteed successful the existent implementation.
Political and technological context
The app is portion of the strategy EU to bounds entree of minors to integer platforms and should person used modern approaches, including zero-knowledge proofallowing you to verify property without disclosing idiosyncratic data.
However, the identified problems caused a crisp reaction: much 400 specialists demanded to suspend the implementation of such solutions until they are afloat verified.
Response from the European Commission
IN European Commission acknowledged the beingness of shortcomings, but emphasized that we are talking astir demo versionnot the last product. According to the Commission, the vulnerabilities discovered person already been fixed, though experts person expressed doubts astir the completeness of these fixes.
The situation again raises the question astir the equilibrium betwixt the speed of implementation of integer solutions and their existent security, particularly when it comes to protecting the information of minors.
Editorial comment
The situation with Kids Wallet looks little similar a peculiar technical mistake and much similar a symptom of a deeper occupation successful the attack to integer projects astatine the level European Union. When a merchandise is publically named “technically ready”and its vulnerabilities are identified within a fewer minutes, this indicates not lone shortcomings, but besides gap betwixt the declared and existent level of security.
Some of the problems, of course, are engineering character: Storing delicate information without sufficient protection, the quality to bypass biometrics, use cases that let minors to easy bypass restrictions. Such vulnerabilities should beryllium fixed astatine the plan stage, and not aft the nationalist launch.
However, the much superior question is development logic. In such projects, precedence is progressively observed political deadlines and presentations implicit the existent stability of the system. As a result, astatine archetypal the content of a ready-made λύση is created, and then refinement begins under the unit of disapproval and identified risks.
The task itself creates further complexity: age verification successful the integer environment is astatine the intersection privacy, convenience and security. Any λύση that is not strict capable is circumvented, and immoderate determination that is too strict raises questions astir the extortion of idiosyncratic data. This makes akin systems vulnerable by natureunless they are afloat tested under real-life conditions.
To debar such situations, basal but captious measures are needed: independent information audit earlier launchfull-fledged programs bug bountyminimizing stored information and designing the system taking into relationship real, not perfect user behavior.
In its existent form, the Kids Wallet story showsthat the occupation lies not lone successful specific vulnerabilities, but successful the attack successful which the system is declared acceptable earlier it really becomes resistant to verification.
Greek (GR) · 
English (US) ·