Worldcoin, a project aiming to establish a human identity system, has undergone a third-party audit of its Orb software. Conducted by Trail of Bits, the audit found no "directly exploitable vulnerabilities related to the stated project objectives," according to the report. The full audit report is slated for release on the same day, as confirmed by Worldcoin via email.
The Worldcoin project offers individuals the ability to verify their humanity through various methods, including phone numbers, email addresses, or iris scans using an Orb device. Once registered, users receive a "World ID" to authenticate their identity. Co-founded by Sam Altman, known for his involvement with OpenAI, the project was initiated due to concerns about the potential for advanced AI to masquerade as humans effectively.
Privacy advocates have raised concerns about Worldcoin's iris scan data, fearing it could be vulnerable to hacking or government surveillance, potentially compromising user privacy. Trail of Bits began evaluating the software on August 14, 2023, analyzing version 3.1.10, which had been "frozen" for evaluation since July 8, 2023. The auditors spent six weeks examining the code for potential vulnerabilities.
Despite considering various attack scenarios, the auditors concluded that they did not identify any directly exploitable vulnerabilities in the Orb code related to the project's goals. They specifically highlighted the difficulty for attackers to obtain user iris codes without controlling trusted certificates, adding that improvements could enhance security.
The audit report made two recommendations for improving Orb's security: enhancing the registration process configuration to prevent future security issues and replacing the ZBar library used for QR code scanning with a pure Rust version to mitigate potential memory safety issues. Worldcoin claims to have implemented both recommendations as per the report.
The privacy debate surrounding Worldcoin continues, with Spain's Data Protection Authority recently issuing an injunction against the project, citing concerns about potential violations of data protection laws. Worldcoin contests these allegations, stating that the Spanish government's actions aim to bypass EU laws rather than address legitimate concerns.
