Paul Moore - Security Consultant 's banner
Paul Moore - Security Consultant 's profile picture

Paul Moore - Security Consultant 

@Paul_Reviews14,722 subscribers

Laugh when you can, apologise when you should and let go of things you can't control.

Shorts

You can't steal data with #CSS alone, right? Wrong. If your #CSS is on a compromised CDN, or you can import a remote CSS via #XSS, you can grab all #data from form fields. Names, addresses, phone numbers & card data. Please, deploy #CSP and don't assume stylesheets aren't dangerous. #contentSecurityPolicy #CSSiphon

You can't steal data with #CSS alone, right? Wrong. If your #CSS is on a compromised CDN, or you can import a remote CSS via #XSS, you can grab all #data from form fields. Names, addresses, phone numbers & card data. Please, deploy #CSP and don't assume stylesheets aren't dangerous. #contentSecurityPolicy #CSSiphon

24,497 views

Bypassing the "world-leading, accurate & robust" #onlineSafetyAct age verification system with 3 blurry static pictures of #PeterKyle If you truly believe the #OSA protects children - or was intended to - I have a bridge to sell you. #farce

Bypassing the "world-leading, accurate & robust" #onlineSafetyAct age verification system with 3 blurry static pictures of #PeterKyle If you truly believe the #OSA protects children - or was intended to - I have a bridge to sell you. #farce

17,441 views

Videos

LIVE
1.2k

Anya Rossi

sweetdream.ai

SweetDream.aiSponsoredLivecam
Streaming Now

Watch Anya Live

Anya is streaming live right now! Join her private show and enjoy exclusive content.

HD live stream
Exclusive private shows
1.2k viewers online

Free preview available • Premium content

Hacking the #EU #AgeVerification app in under 2 minutes. During setup, the app asks you to create a PIN. After entry, the app *encrypts* it and saves it in the shared_prefs directory. 1. It shouldn't be encrypted at all - that's a really poor design. 2. It's not cryptographically tied to the vault which contains the identity data. So, an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file and restart the app. After choosing a different PIN, the app presents credentials created under the old profile and let's the attacker present them as valid. Other issues: 1. Rate limiting is an incrementing number in the same config file. Just reset it to 0 and keep trying. 2. "UseBiometricAuth" is a boolean, also in the same file. Set it to false and it just skips that step. Seriously Ursula von der Leyen - this product will be the catalyst for an enormous breach at some point. It's just a matter of time.
2:13
Paul_Reviews's profile picture

Hacking the #EU #AgeVerification app in under 2 minutes. During setup, the app asks you to create a PIN. After entry, the app *encrypts* it and saves it in the shared_prefs directory. 1. It shouldn't be encrypted at all - that's a really poor design. 2. It's not cryptographically tied to the vault which contains the identity data. So, an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file and restart the app. After choosing a different PIN, the app presents credentials created under the old profile and let's the attacker present them as valid. Other issues: 1. Rate limiting is an incrementing number in the same config file. Just reset it to 0 and keep trying. 2. "UseBiometricAuth" is a boolean, also in the same file. Set it to false and it just skips that step. Seriously Ursula von der Leyen - this product will be the catalyst for an enormous breach at some point. It's just a matter of time.

Paul Moore - Security Consultant 

3,386,547 views • 1 month ago

Bypassing #EU #AgeVerification using their own infrastructure. I've ported the Android app logic to a Chrome extension - stripping out the pesky step of handing over biometric data which they can leak... and pass verification instantly. Step 1: Install the extension Step 2: Register an identity (just once) Step 3: Continue using the web as normal The extension detects the QR code, generates a cryptographically identical payload and tells the verifier I'm over 18, which it "fully trusts". This isn't a bug... it's a fundamental design flaw they can't solve without irrevocably tying a key to you personally; which then allows tracking/monitoring. Of course, I could skip the enrolment process entirely and hard-code the credentials into the extension... and the verifier would never know.
1:14
Paul_Reviews's profile picture

Bypassing #EU #AgeVerification using their own infrastructure. I've ported the Android app logic to a Chrome extension - stripping out the pesky step of handing over biometric data which they can leak... and pass verification instantly. Step 1: Install the extension Step 2: Register an identity (just once) Step 3: Continue using the web as normal The extension detects the QR code, generates a cryptographically identical payload and tells the verifier I'm over 18, which it "fully trusts". This isn't a bug... it's a fundamental design flaw they can't solve without irrevocably tying a key to you personally; which then allows tracking/monitoring. Of course, I could skip the enrolment process entirely and hard-code the credentials into the extension... and the verifier would never know.

Paul Moore - Security Consultant 

1,174,155 views • 1 month ago

Bypassing the #EU #ageVerification app - part 2. This time, it's v2026.04-2 - which won't run on rooted devices & has encrypted shared preferences. If we ignore the fact they've used a 6 year old deprecated library, they haven't actually solved the problem at all. An attacker can just as easily delete ciphertext as plain text. Ironically, they've tried to solve a problem they don't truly understand... much like the concept itself.
2:54
Paul_Reviews's profile picture

Bypassing the #EU #ageVerification app - part 2. This time, it's v2026.04-2 - which won't run on rooted devices & has encrypted shared preferences. If we ignore the fact they've used a 6 year old deprecated library, they haven't actually solved the problem at all. An attacker can just as easily delete ciphertext as plain text. Ironically, they've tried to solve a problem they don't truly understand... much like the concept itself.

Paul Moore - Security Consultant 

70,022 views • 1 month ago

No more content to load