Worldcoin’s Orb Software: Audited and Vulnerability-Free

Worldcoin, a project focused on human identity verification, has received a third-party audit of its Orb software. The audit was conducted by Trail of Bits, and according to a draft report seen by , no vulnerabilities were found that directly undermine the project’s goals. The full report is expected to be published on March 14. Worldcoin offers users the ability to prove their humanity by registering with a phone number, email address, or through an iris scan using the Orb device. This registration grants users a “World ID” that serves as proof of their human identity. The project was co-founded by Sam Altman, who also co-founded OpenAI, the company behind ChatGPT. Altman’s concern about AI bots masquerading as humans led him to create Worldcoin. Privacy advocates have raised concerns that storing users’ iris scans could pose security threats if hacked or accessed by governments. According to the report from Worldcoin, Trail of Bits began its assessment on August 14, 2023. The auditors examined version 3.1.10 of the software, which was frozen for assessment purposes on July 8, 2023. They spent six weeks investigating the code for potential vulnerabilities, considering various attack vectors that could compromise a user’s iris scan. They concluded that no vulnerabilities were found that directly exploited the project’s goals. The auditors highlighted that an attacker would need control of one of the trusted certificates to obtain a user’s iris code, as it is not stored persistently on the Orb. The auditors provided two recommendations to enhance security: “harden” the signup flow configuration to prevent future security issues and replace the ZBar library used for scanning QR codes with a more secure alternative. Worldcoin implemented both suggestions. The issue of privacy continues to be debated, as Spain’s Agency for the Protection of Data (AEPD) recently issued an injunction against Worldcoin, citing potential violations of data protection laws. Worldcoin has defended itself by asserting that it adheres to these laws and accused the Spanish government of circumventing EU regulations with the injunction.

Leave a Reply