Worldcoin, the human identity project, has obtained a third-party audit of its Orb software, as stated in a draft report from the development team seen by Cointelegraph. The audit, conducted by Trail of Bits, revealed no vulnerabilities that could be directly exploited in relation to the project goals, according to the report. The full Trail of Bits report is scheduled to be released on March 14, according to a statement from Worldcoin.
Worldcoin enables individuals to verify their humanity by registering with a phone number, email address, or through iris scanning using an Orb device. Upon registration, users receive a “World ID” that serves as proof of their human identity. The project was co-founded by Sam Altman, also known for co-founding OpenAI, the developer of ChatGPT. Altman expressed concerns about the potential for artificial intelligence (AI) bots to effectively impersonate humans, which motivated him to create Worldcoin.
Privacy advocates have raised concerns about Worldcoin, fearing that users’ iris scans could be compromised by hackers or governments. These scans could potentially expose all activities associated with a user’s World ID.
According to the Worldcoin report, Trail of Bits initiated its assessment on August 14, 2023. The security firm evaluated version 3.1.10 of the software, which was frozen for assessment purposes on July 8, 2023. The current version is 4.0.34, as mentioned in the report.
The auditors spent six weeks examining the code for potential vulnerabilities, considering various attack vectors that hackers could exploit to obtain a user’s iris scan. However, they concluded that there were no vulnerabilities in the Orb’s code that could be directly exploited in relation to the project goals. The auditors specifically noted that an attacker would require control of one of the trusted certificates to obtain the user’s iris code. They stated:
“In conclusion, our analysis did not uncover vulnerabilities in the Orb’s code that can be directly exploited in relation to the Project Goals as described.”
While no significant vulnerabilities were found, the auditors did make two recommendations to enhance the Orb’s security. The first recommendation was to strengthen the configuration for the signup flow to prevent future changes from introducing security issues. The second recommendation was to replace the ZBar library, used for scanning QR codes during signup, with a pure Rust version. The auditors suggested this change to address potential “memory safety” issues in ZBar that could result in the leakage of configuration data, such as the user’s “data custody choice.” The Worldcoin team implemented both recommendations, according to the report.
The debate surrounding Worldcoin’s privacy practices is expected to continue. On March 6, Spain’s Agency for the Protection of Data issued an injunction against the project, claiming that it needed time to investigate allegations of data protection law violations by Worldcoin. Worldcoin, in response, denied any violation of these laws and accused the Spanish government of bypassing EU law by issuing the injunction.