Blog

UK Internet Age Verification System explained for cyber security

The goal of the UK Internet Age Verification System is to protect children browsing on the internet. But these checks come with new cybersecurity risks and privacy concerns.

Jul 29, 2025 • 5 min read

Simon Wijckmans Founder & CEO

UK Internet Age Verification System explained for cyber security

The UK government created a new age-verification law under the Online Safety Act 2023, which has come into play as of 25 July 2025.

These rules require users to prove they are over 18 before accessing certain online content. Mainly pornographic websites or platforms that promote self-harm, suicide, eating disorders and other potentially harmful material.

The goal of the UK Internet Age Verification System is to protect children browsing on the internet.

While the aim to protect children is positive, age verification when done accurately often means exposing sensitive personal information. These checks come with new cybersecurity risks and privacy concerns.

Age verification pop-up requiring account creation

How the UK Internet Age Verification System works

Users must prove their age to access websites with adult content or websites that promote harmful subjects
Websites must use strict methods to prove users’ age, like:
- Uploading an ID (passport or driver license)
- Taking a selfie and using software to verify age by facial pattern matching
- Confirming your age with a credit or debit card
Platforms like Reddit, X (Twitter) and other multi-purpose websites must ensure that minors cannot view adult content.
Non-compliant websites can be:
- Blocked in the UK
- Fined up to £18 million or 10% of global revenue

What this means in practice (and for cyber security)

1. People will use VPNs to bypass UK age verification laws

Websites use the requester’s IP to verify where the request is coming from, which is easily bypassed. To avoid these checks, many users are turning to VPNs and changing their location outside the UK. App Store search data already indicate a significant increase in VPN downloads following the rollout.

2. Rise of fake VPN sites, phishing pages and malware

Cybercriminals are aware of this change and are already launching fake VPN services targeting minors and phishing websites that mimic real age-verification portals.

These mostly contain spyware, malware or crypto miners.

Even Google Search ads have featured malicious sponsored links that lead to dangerous downloads in the past. Chances are we will see this happening again.

This opens the door to a sharp rise in identity theft, credential harvesting and malware infections, especially among users trying to avoid verification.

3. Malicious JavaScript and third-party script abuse

Many websites outsource age checks to third-party SDKs or embedded widgets. This introduces massive client-side supply chain risks. Just like with other dependencies, attackers can launch Magecart-style attacks to collect:

Uploaded photo IDs
Credit card details
Uploaded selfie
Other personal information

Examples of an attack method:

Injecting malicious <script> tags into verification flows
Using fake <input> overlays to spoof identity forms
Manipulating the DOM to exfiltrate data before it is encrypted or submitted

This is all well-known in the client-side security space where it’s become the most common attack. And one that traditional audits often miss.

4. Dangerous Browser Extensions

Again to the point of VPNs above, users trying to bypass restrictions may install shady VPN browser extensions. We recently wrote exactly why browser extensions are so dangerous.

They can:

Hijack traffic
Inject ads or affiliate links
Log browsing history
Be sold to bad actors - this is common practice

5. API and token exploits

Anywhere there is PII gathered, attacks will flock. As we saw in the recent Tea app, their backend got breached and all the user PII was leaked. Similar to the UK Internet Age Verification System, Tea also gathered verification via photo ID and other personal info. Since platforms themselves are in charge of this age verification, that just means more targets for possible attacks.

Future threats we can expect

Threat Type	Description
ID Theft via Phishing	Fake age-verification portals that collect uploaded ID documents
Deepfakes and Face Swaps	Stolen selfies used to create AI-generated impersonations
Malicious Age Verification SDKs	Client-side supply chain attacks targeting embedded age-check libraries
Surveillance and Tracking	Age-check tools that follow users across websites under the guise of safety
VPN Honeypots	Fake VPNs that log user activity and collect personal data
Credential Stuffing	Reused login credentials stolen from phishing or fake SDKs
Magecart-style PII Skimming	Malicious scripts scraping ID images and sensitive form inputs
Form Overlay Attacks	Fake form fields used to steal user data before submission

Best practices

For Users:

Use only trusted VPN providers
Never upload ID documents to unverified websites
Avoid installing browser extensions from unknown developers and make sure the extension has positive and legitimate reviews
Regularly clear cookies and session data. This helps reduce passive tracking and exposure to cross-site data leaks

For Developers:

Audit all third-party JavaScript libraries and SDKs. Client-side, middleware and server side
Implement a strict Content Security Policy (CSP) strategy - if you can
Use Subresource Integrity (SRI) - if you can
Set up Cross-Origin Resource Sharing (CORS)
Prevent Cross-Site Scripting (XSS) by sanitizing user input and using secure templating frameworks
Add a secure token system
Monitor the DOM and network requests

Cside can help with a number of these.

Founder & CEO Simon Wijckmans

Founder and CEO of cside. Building better security against client-side executed attacks, and making solutions more accessible to smaller businesses. Web security is not an enterprise only problem.

Table of Contents

Back to top

FAQ

Frequently Asked Questions

The Online Safety Act 2023 mandates websites that host adult content and general harmful material to verify that visitors are over 18. This can be done by allowing visitors to upload a government-issued ID, facial age estimation via a selfie or validating credit/debit card ownership.

Both UK-based and international websites accessible in the UK are required to comply. Platforms that fail to do so risk being blocked or fined by Ofcom (Office of Communications).

Users can bypass the system by using a VPN to make it appear they are outside the UK. This has already led to a surge in VPN downloads. Using a VPN also doesn’t eliminate the cybersecurity risks introduced by these verification systems.

The law was created to protect children, but it brings privacy risks if the verification is handled poorly. Users are asked to upload sensitive data and these can be exposed through phishing sites, malware-infected VPNs or compromised third-party verification tools. These age verification systems will become targets for identity theft and surveillance.

Age verification introduces a new attack surface for cybercriminals. Especially since a lot of platforms needed to implement them quickly or risk losing revenue. Identity documentation is a highly valuable asset. Attacks through hijacking identity verification systems or mimicking identity verification systems will rise. The use of sensitive personal information just became more normalized, which is generally a negative thing.

For users, be careful uploading identity documents to websites. Always verify this is necessary and if given the option use less risky methods. Identity theft is hard to correct, issuing a new bank-card can be easier. If you decide to use a VPN, stick to reputable providers. Avoid installing unknown browser extensions. Developers must treat the browser as a critical security boundary by auditing all third-party scripts and adopting security solutions for client-side security.

Age verification is required as part of the Online Safety Act 2023. The new Act aims to prevent children from accessing harmful content online. Harmful content types include pornography as well as material related to self-harm, suicide and eating disorders.

Any site or app that hosts adult content or material considered harmful to children must comply. This also includes social platforms where such materials can be shared like Reddit, Discord, Bluesky, X/Twitter and similar - currently over 6000 platforms.

Monitor en Beveilig Je Third-Party Scripts

Gain full visibility and control over every script delivered to your users to enhance site security and performance.

Boek een demo

Start gratis

cside dashboard interface met script monitoring en beveiligingsanalytics

"Microsoft Clairty" Isn't Microsoft Clarity: Deobfuscating a Typosquatted Ad Fraud Script

Cside observed a new malicious client-side injection originating from a malicious browser extension impersonating Microsoft Clarity and overwriting referral tokens to redirect referral revenue to a malicious actor.

How to block AI agents on your website | robots.txt is not enough

Robots.txt won’t stop AI agents from abusing your website. Learn how to block headless browser agents and fraudulent agents with different controls.

How to Monitor Cross Border Data Transfer On Your Website | GDPR, CCPA

Your website is likely sending personal data to other countries. Learn how to track cross-border data transfers for GDPR and CCPA requirements.

How to Prevent Website Data Breaches (to avoid GDPR & CCPA fines)

1/3rd of breaches involve third parties. Learn how to prevent GDPR and CCPA violations by securing third-party scripts, APIs, and data flows.

Comparing Tools for GDPR Compliance (the ones you need in 2026)

GDPR compliance does not live in one tool. Fragmentation confuses teams, so we wrote this guide to help you select the right GDPR tools for you.

What is E-skimming | Guide and Prevention Tips

E-skimming steals information from your web visitors before traditional security tools protect them. Learn how web skimming works and how to prevent it.

3 Tips - The fastest way to comply with PCI DSS requirements 6.4.3 & 11.6.1

Most teams overcomplicate PCI DSS 6.4.3 & 11.6.1. See the fastest paths to compliance and why QSAs recommend tools over DIY.

VCDPA: Guide to Requirements + Website Compliance

Get a clear breakdown of Virginia Consumer Data Protection Act rules, enforcement timelines, and how to manage third-party scripts correctly.

Best practices for securing third party scripts on web pages

Third-party scripts can expose sensitive data in your users’ browsers. Learn best practices to secure client-side code and reduce breach risk.

Comparing Top Client Side Security Tools (features, reviews, pricing)

This selection guide dives deep into pricing, protection coverage, and more to help you choose a client-side protection tool for your website.