@Duke_Nukem_1990 For this one verification platform at least, yeah

@Fmstrat Well technically I added support for another platform just now (see github) and so I changed the name. I don’t think in 1 day I had too many users lol

@cipherd Snooping around in the console and not wanting to show my face to some random website! Also, reading the docs on their site helped.

More technical details https://github.com/helloyanis/agechecker.net-bypass/issues/14#issuecomment-4801644570

@birdwing I don’t have an account there but if you have one, feel free to do so! The code is MIT licensed so you can redistribute and even modify it if you want.

@kutt The block is a front-end popup that sends ID data to the back-end, and when the back-end completes verification, the front-end dispatches an event and closes the popup window.

So if, let’s say, an extension replaced the popup script by something that would fire the event immediately, then sites would work!

@Fmstrat When it works on other site I will change the name! For now it only works on agecheck.net so it’s named like that to not confuse people who haven’t read this post.

@TheDarkQuark if they change it, then all of the websites using it will also have to change their code. But I don’t think they will change it unless the extension goes crazy viral, they won’t bother imo

@Maeve @privacy Yeah it doesn’t need to be done right away! Take care of your things! :dragn_mlem:

@Maeve @privacy I didn’t think when waking up today that I would be called “Furry savior” ! But I don’t mind hehe!

Feel free to tell me if it works on librewolf so I know!

@Maeve @privacy Haven’t tried but it should be! Follow the instructions on GitHub!

@bamboo Not sure if that’s exactly what you mean but each site can set up the age verification by loading a script and adding event callbacks, like redirect_url to set an URL to be redirected to once the verification is over, and onclosed which occurs when the verification is successful, and where the site can set some code to run.

So if you just block the popup, it never appears and can never fire onclose and the code that happens after will never run.

Since sites are often minified and obfuscated, and the call for the popup can come from any file, I just replaced the response to requests to the popup URL, to have my own script that fires the event and/or redirects to the page, so that it works every time.

I think the only way to counter this is, if they change the URL (I can later update it too, or if a website hosts their own version of the file (so it will be at a different URL and be undetected). But all of these have easy workarounds as well.

@ZeroHora This is just a facade so that we eventually take over the world, but shh!!

@bamboo I dont’t think so? I’m not sure how uBO filters works but the popup file is supposed to send an event to the main page to let it know that the verification is done and I don’t think uBO filters can do that

@rockSlayer Glad you like it! Hopefully it gets approved on the store so it can be installed more easily!

@vapeloki The issue is, once again, not that the app allows you to bypass age verification or anything with how countries implement it. It’s that the app makes it extremely easy to get the data and spoof someone else, while claiming it’s secure and privacy focused while it is not.
A prectical example would be :
- Someone steals my phone
- They can access the app as they can bypass the PIN
- They can appear and act as myself on any platform that will use the system to verify
No matter how countries implement it or how the app is still “in development”, I’m just saying that this current implementation is insecure and can be very easily hacked besides what is being said on the public spaces like the dedicated website and the twitter account of the president of the EU commission.
I will probably stop replying to this thread now as you keep telling me the same arguments and even when I demonstrate how I disagree with them, you keep repeating the same ones so I’ll just stop wasting my time

@vapeloki I really don’t get what you say with “there is no app”. The repo is literally called " age verification Android application". It’s not an SDK
Also, why shouldn’t it matter what Ursula said?The part of the readme you linked me mentions “In particular, any national-specific enrolment procedures must be implemented by the respective Member States or publishing parties”. This does not relate to the security of how data is stored.

“The current version is not feature complete”, well, it’s not what I’m complaining about. The thing is the feature that are there are not well made and use an approach that don’t focus on security and privacy.

Yes it’s a demo but if they want people to base their implementation based on that, then every implemenation will be faulty. A demo is meant to DEMOnstrate how it’s done. It never says anywhere it’s a prototype and if it was so, they wouldn’t brag about top notch security on their web page.

But anyways, you probably won’t change your mind.

@vapeloki From Ursula von der Leyen on Twitter, april 15th :
“The European Age Verification App is ready”
“Our app ticks all the boxes.
✅ Highest privacy standards in the world
[…]”

The GitHub readme note was added on april 17th, so after the backlash. I guess that means they are aware they need to update stuff, at least, but again it shows how they thought the app was good to go and production ready while it clearly was not.

Obviously Ursula von der Leyen is not a developer of the app so at some point she must have been told by the developers that the app was ready, then people saw it wasn’t so they added the note to the GitHub readme. That’s how I think things went.

@vapeloki While this is a prototype release, yes, it shows they don’t have user privacy at the core of their product despite what the branding seems to imply.

Usually prototypes comes with missing features, but right now the features are in a state with fundamental security flaws and they’d almost need to rebuild a whole app to fix that. Usually a prototype is to prove that a concept works, not how insecure it is.

Also, besides that, the president of the EU commission publicly stated that the app is production ready with the world’s best security standards. See https://xcancel.com/vonderleyen/status/2044340323120193595#m . I don’t think this would get posted if they thought that the app’s security infrastructure was broken and that this is just a prototype 🫤