Security researchers just found a spectacular example of how not to build age verification. Persona, the company Discord partnered with to verify users' ages, left critical frontend code publicly accessible—essentially publishing a how-to guide for bypassing the very protections they were hired to provide.
This is security theater at its worst. The entire point of age verification is to keep minors safe on platforms where they shouldn't be. But if the implementation is so sloppy that anyone with basic web development skills can peek under the hood and see exactly how the system works, you haven't protected anyone. You've just collected more sensitive data while creating a false sense of safety.
Here's what happened: Persona's verification system relies on frontend code—the stuff that runs in your web browser—to handle parts of the age verification process. The problem? Frontend code is always visible. Always. Any developer worth their salary knows you never, ever put sensitive logic or validation in the frontend, because users can see it, modify it, and bypass it.
It's like putting a lock on your front door and then leaving the blueprints to that lock taped to the door itself. Sure, the lock technically works, but you've just told every potential intruder exactly how to pick it.
The implications are serious. Discord has hundreds of millions of users globally, many of them minors. Age verification exists precisely because there are parts of the platform—and people on the platform—that kids shouldn't have access to. When the system designed to enforce those boundaries can be bypassed by examining publicly available code, the protection is effectively worthless.
What makes this even more frustrating is that this is a solved problem. Proper age verification keeps all validation logic server-side, where users can't see or tamper with it. You submit your information, the server checks it, and the server decides whether you're verified. The frontend just displays the result. This is Web Security 101.
Persona is a company that specializes in identity verification. This is literally their core competency. If they're making mistakes this fundamental, it raises serious questions about what else might be broken under the hood.
Discord and Persona will likely patch this now that it's public. They'll issue a statement about taking security seriously and implementing additional safeguards. But the fact remains: they deployed a broken system, collected sensitive personal data through it, and gave millions of users a false sense that their kids were protected.
The technology to do age verification correctly exists. The question is whether companies are willing to invest in doing it right, or if they'd rather check a compliance box and hope nobody looks too closely.
