UK Internet Age Verification System explained for cyber security

The UK government created a new age-verification law under the Online Safety Act 2023, which has come into play as of 25 July 2025.

These rules require users to prove they are over 18 before accessing certain online content. Mainly pornographic websites or platforms that promote self-harm, suicide, eating disorders and other potentially harmful material.

The goal of the UK Internet Age Verification System is to protect children browsing on the internet.

While the aim to protect children is positive, age verification when done accurately often means exposing sensitive personal information. These checks come with new cybersecurity risks and privacy concerns. 

How the UK Internet Age Verification System works

1. Users must prove their age to access websites with adult content or websites that promote harmful subjects
2. Websites must use strict methods to prove users’ age, like:
   • Uploading an ID (passport or driver license)
   • Taking a selfie and using software to verify age by facial pattern matching
   • Confirming your age with a credit or debit card
3. Platforms like Reddit, X (Twitter) and other multi-purpose websites must ensure that minors cannot view adult content.
4. Non-compliant websites can be:
   • Blocked in the UK
   • Fined up to £18 million or 10% of global revenue

What this means in practice (and for cyber security)

1. People will use VPNs to bypass UK age verification laws

Websites use the requester’s IP to verify where the request is coming from, which is easily bypassed. To avoid these checks, many users are turning to VPNs and changing their location outside the UK. App Store search data already indicate a significant increase in VPN downloads following the rollout.

2. Rise of fake VPN sites, phishing pages and malware

Cybercriminals are aware of this change and are already launching fake VPN services targeting minors and phishing websites that mimic real age-verification portals. 

These mostly contain spyware, malware or crypto miners.

Even Google Search ads have featured malicious sponsored links that lead to dangerous downloads in the past. Chances are we will see this happening again.

This opens the door to a sharp rise in identity theft, credential harvesting and malware infections, especially among users trying to avoid verification.

3. Malicious JavaScript and third-party script abuse

Many websites outsource age checks to third-party SDKs or embedded widgets. This introduces massive client-side supply chain risks. Just like with other dependencies, attackers can launch Magecart-style attacks to collect:

• Uploaded photo IDs
• Credit card details
• Uploaded selfie
• Other personal information

Examples of an attack method:

• Injecting malicious <script> tags into verification flows
• Using fake <input> overlays to spoof identity forms
• Manipulating the DOM to exfiltrate data before it is encrypted or submitted

This is all well-known in the client-side security space where it’s become the most common attack. And one that traditional audits often miss.

4. Dangerous Browser Extensions

Again to the point of VPNs above, users trying to bypass restrictions may install shady VPN browser extensions. We recently wrote exactly why browser extensions are so dangerous.

They can:

• Hijack traffic
• Inject ads or affiliate links
• Log browsing history
• Be sold to bad actors - this is common practice

5. API and token exploits

Anywhere there is PII gathered, attacks will flock. As we saw in the recent Tea app, their backend got breached and all the user PII was leaked. Similar to the UK Internet Age Verification System, Tea also gathered verification via photo ID and other personal info. Since platforms themselves are in charge of this age verification, that just means more targets for possible attacks.

Future threats we can expect

Best practices

For Users:

• Use only trusted VPN providers
• Never upload ID documents to unverified websites
• Avoid installing browser extensions from unknown developers and make sure the extension has positive and legitimate reviews
• Regularly clear cookies and session data. This helps reduce passive tracking and exposure to cross-site data leaks

For Developers:

• Audit all third-party JavaScript libraries and SDKs. Client-side, middleware and server side
• Implement a strict Content Security Policy (CSP) strategy - if you can
• Use Subresource Integrity (SRI) - if you can
• Set up Cross-Origin Resource Sharing (CORS)
• Prevent Cross-Site Scripting (XSS) by sanitizing user input and using secure templating frameworks
• Add a secure token system
• Monitor the DOM and network requests

cside can help with a number of these.

FAQ

1. How does the UK Age Verification System work?

The Online Safety Act 2023 mandates websites that host adult content and general harmful material to verify that visitors are over 18. This can be done by allowing visitors to upload a government-issued ID, facial age estimation via a selfie or validating credit/debit card ownership.

Both UK-based and international websites accessible in the UK are required to comply. Platforms that fail to do so risk being blocked or fined by Ofcom (Office of Communications).

2. Can I bypass UK Age Verification with a VPN?

Users can bypass the system by using a VPN to make it appear they are outside the UK. This has already led to a surge in VPN downloads. Using a VPN also doesn’t eliminate the cybersecurity risks introduced by these verification systems.

3. Is the UK Age Verification Law safe for my privacy?

The law was created to protect children, but it brings privacy risks if the verification is handled poorly. Users are asked to upload sensitive data and these can be exposed through phishing sites, malware-infected VPNs or compromised third-party verification tools. These age verification systems will become targets for identity theft and surveillance.

4. What are the cybersecurity risks of age verification systems?

Age verification introduces a new attack surface for cybercriminals. Especially since a lot of platforms needed to implement them quickly or risk losing revenue. Identity documentation is a highly valuable asset. Attacks through hijacking identity verification systems or mimicking identity verification systems will rise. The use of sensitive personal information just became more normalized, which is generally a negative thing.

5. How can users and developers protect themselves?

For users, be careful uploading identity documents to websites. Always verify this is necessary and if given the option use less risky methods. Identity theft is hard to correct, issuing a new bank-card can be easier. If you decide to use a VPN, stick to reputable providers. Avoid installing unknown browser extensions. Developers must treat the browser as a critical security boundary by auditing all third-party scripts and adopting security solutions for client-side security.

6. Why was the UK age verification law introduced?

Age verification is required as part of the Online Safety Act 2023. The new Act aims to prevent children from accessing harmful content online. Harmful content types include pornography as well as material related to self-harm, suicide and eating disorders.

7. Which platforms are affected by the UK age verification law?

Any site or app that hosts adult content or material considered harmful to children must comply. This also includes social platforms where such materials can be shared like Reddit, Discord, Bluesky, X/Twitter and similar - currently over 6000 platforms.