Worldcoin, the Human Identity Project, has received a third-party audit of its Orb software, as stated in a draft report from the development team seen by Cointelegraph. The audit, conducted by Trail of Bits, revealed no vulnerabilities in the Orb software that could be directly exploited in relation to the Project Goals. The full report from Trail of Bits is expected to be published on March 14, according to a statement from Worldcoin.
Worldcoin offers users the ability to verify their humanity through various methods, such as registering with a phone number, email address, or using the Orb device to scan their iris. Upon registration, users receive a “World ID” that can be used to prove their human identity. Sam Altman, co-founder of ChatGPT developer OpenAI, co-founded Worldcoin out of concern that AI bots could effectively impersonate humans.
Privacy advocates have raised concerns that Worldcoin’s iris scans could be leaked to hackers or governments, potentially exposing users’ activities linked to their World ID.
According to the Worldcoin report, Trail of Bits initiated its assessment on August 14, 2023. The auditors analyzed version 3.1.10 of the software, which was frozen for assessment purposes on July 8, 2023. The current version is 4.0.34, as mentioned in the report.
The auditors spent six weeks examining the code for potential vulnerabilities, focusing on several attack vectors that could be used to obtain a user’s iris scan. Ultimately, they concluded that the Orb’s code did not contain any vulnerabilities that could be directly exploited in relation to the Project Goals. They specifically stated that an attacker would need control of one of the trusted certificates to obtain a user’s iris code.
The auditors did make two recommendations to enhance Orb’s security. The first recommendation was to strengthen the configuration for the signup process to prevent future changes from introducing security issues. The Worldcoin team implemented this recommendation. The second recommendation was to address a bug in the ZBar library used for scanning QR codes during signup. The auditors identified “memory safety” issues in ZBar that could lead to the leakage of configuration data, such as the user’s “data custody choice.” In response, the Worldcoin team replaced the ZBar library with a pure Rust version.
The debate surrounding Worldcoin’s privacy practices is likely to continue. On March 6, the Spanish Agency for the Protection of Data issued an injunction against the project, citing the need to investigate allegations of data protection law violations. Worldcoin argued that it did not violate these laws and accused the Spanish government of “circumventing EU law” by issuing the injunction.
Update 4:18 pm UTC on March 18: This article has been updated to provide clarification on the vulnerability of the ZBar library.