According to a draft report dated March 14 by the development team, the human identity project Worldcoin received a third-party audit of its Orb software. The audit, conducted by Trail of Bits, claimed to find no security vulnerabilities that would be directly exposed to a hacking attack in relation to the stated project goals. An email statement from Worldcoin expects the full Trail of Bits report to be published on March 14.
Security Report from Worldcoin
Worldcoin allows people to verify their identities by registering with a phone number or email address, or by having their irises scanned by an Orb device. When a user completes this registration, they obtain a World ID that can be used to prove they are a real person. The project was created by Sam Altman, who is also a co-founder of ChatGPT developer OpenAI. Altman claimed that he helped address Worldcoin due to fears that artificial intelligence bots could soon act effectively like humans.
Privacy advocates have criticized Worldcoin for the risk of leaking users’ iris scans to hackers or governments. These iris scans could potentially be used to reveal all the activities a person has conducted with their World ID. According to Worldcoin’s report, Trail of Bits began its assessment on August 14, 2023. The security firm was given the “frozen” version 3.1.10 for evaluation on July 8, 2023. The report indicated that the current version was 4.0.34.
Auditors spent six weeks examining the code for potential security vulnerabilities. They evaluated various attack vectors that a hacker could use to obtain a user’s iris scan but ultimately concluded that the analysis did not reveal any security vulnerabilities that would be directly susceptible to attack in relation to the project goals as described in Orb’s code. The following statement was made on the matter:
“We believe that the iris code is not written to Orb’s persistent storage and is only included in a single request to Orb’s backend. Although this configuration could be made more secure (TOB-ORB-10), it is not possible for typical attackers to extract the iris code from Orb’s network traffic, and the attacker would need to be in control of one of the trusted certificates.”
Noteworthy Details
According to the report, auditors made two recommendations to enhance the security of Orb. The first was to strengthen the configuration of the registration flow to ensure that future changes do not introduce security issues. The second was to replace the ZBar library used to scan QR codes during registration with a pure Rust version. Auditors claimed that if this change is not made, ZBar could have memory safety issues that might leak configuration data like the user’s data storage choice. The report stated that the Worldcoin team implemented both of the suggested changes.
Discussions about Worldcoin’s privacy practices may continue for some time. On March 6, the Spanish Data Protection Agency issued a precautionary measure against the project, claiming it needed time to investigate allegations that Worldcoin violated data protection laws. In response, Worldcoin claimed that it did not violate these laws and accused the Spanish government of circumventing EU laws by issuing the precautionary measure.
