Worldcoin, the Human Identity Project, has received a third-party audit of its Orb software, as stated in a draft report from the development team seen by Cointelegraph. The audit, conducted by Trail of Bits, found no vulnerabilities in the Orb software that could be exploited to undermine the project’s goals. The full report from Trail of Bits is expected to be published on March 14, according to an email statement from Worldcoin.
Worldcoin allows individuals to verify their humanity by registering with a phone number, email address, or by scanning their iris using an Orb device. Upon registration, users receive a “World ID” that serves as proof of their human identity. The project was co-founded by Sam Altman, who also co-founded OpenAI, the developer of ChatGPT. Altman expressed concerns about the potential for artificial intelligence (AI) bots to convincingly impersonate humans, which motivated him to create Worldcoin.
Privacy advocates have raised concerns about Worldcoin, arguing that it exposes users’ iris scans to the risk of being accessed by hackers or governments. These scans could potentially reveal all of the activities associated with a person’s World ID.
According to the report from Worldcoin, Trail of Bits commenced its assessment on August 14, 2023. The security firm was provided with version 3.1.10, which was frozen for assessment purposes on July 8, 2023. The current version is 4.0.34, according to the report.
The auditors reportedly spent six weeks examining the code for potential vulnerabilities. They considered various attack vectors that could be exploited by hackers to obtain a user’s iris scan. However, they concluded that no vulnerabilities were found in the Orb’s code that could be directly exploited to undermine the project’s goals. Specifically, the auditors stated that an attacker would require control of one of the trusted certificates to obtain a user’s iris code.
The report also mentioned two recommendations made by the auditors to enhance the Orb’s security. The first recommendation was to strengthen the configuration of the signup process to prevent the introduction of security issues in the future. The Worldcoin team implemented this recommendation. The second recommendation was to address a bug in the ZBar library used for scanning QR codes during signup. The auditors identified “memory safety” issues in ZBar that could potentially leak configuration data, such as the user’s “data custody choice.” In response, the Worldcoin team replaced the ZBar library with a pure Rust version.
The debate surrounding Worldcoin’s privacy practices is likely to continue. On March 6, Spain’s Agency for the Protection of Data issued an injunction against the project, citing the need to investigate claims of data protection law violations. Worldcoin maintained that it did not breach these laws and accused the Spanish government of bypassing EU law by issuing the injunction.
Update 4:18 pm UTC on March 18: This article has been updated to provide clarification regarding the vulnerability in the ZBar library.