Worldcoin, the Human Identity Project, has received a third-party audit of its Orb software, as stated in a draft report from the development team. The audit was conducted by Trail of Bits, who confirmed that they found no vulnerabilities that could be exploited in relation to the project’s goals. The full report from Trail of Bits is expected to be released on March 14, according to Worldcoin.
Worldcoin enables individuals to verify their humanity by registering with a phone number, email address, or through an iris scan using an Orb device. Upon registration, users receive a “World ID” that serves as proof of their human identity. The project was co-founded by Sam Altman, known for his involvement in ChatGPT developer OpenAI. Altman expressed concerns about AI bots potentially impersonating humans, which motivated the creation of Worldcoin.
Privacy advocates have raised concerns about Worldcoin, fearing that users’ iris scans could be exposed to hackers or governments. This could potentially reveal all the activities associated with a person’s World ID.
According to the report, Trail of Bits initiated the assessment on August 14, 2023. They analyzed version 3.1.10 of the software, which was frozen for assessment purposes on July 8, 2023. The current version is 4.0.34.
The auditors spent six weeks examining the code for possible vulnerabilities and considered various attack methods that hackers could employ to obtain a user’s iris scan. However, they concluded that the Orb’s code did not have any vulnerabilities that could be directly exploited in relation to the project’s goals. They specifically stated that an attacker would need control over one of the trusted certificates to obtain a user’s iris code.
The auditors did provide two recommendations to enhance the Orb’s security. The first suggestion was to strengthen the configuration for the signup process to prevent any future security issues. The second recommendation was to replace the ZBar library, used for scanning QR codes during signup, with a pure Rust version. The auditors believed that ZBar might have memory safety issues that could potentially leak configuration data if not addressed. The Worldcoin team implemented both changes as recommended.
The debate surrounding Worldcoin’s privacy practices is likely to continue. On March 6, Spain’s Agency for the Protection of Data issued an injunction against the project, citing the need for further investigation into potential violations of data protection laws. In response, Worldcoin asserted that it had not violated any laws and accused the Spanish government of bypassing EU regulations by issuing the injunction.