Worldcoin, the Human Identity Project, has received a third-party audit of its Orb software, as stated in a draft report from the development team. The audit, conducted by Trail of Bits, revealed no vulnerabilities that could be directly exploited in relation to the project’s goals. The full report from Trail of Bits is expected to be released on March 14.
Worldcoin offers individuals the ability to verify their humanity through various means, such as registering with a phone number or email address, or by using the Orb device for iris scanning. Upon registration, users receive a “World ID” that serves as proof of their human identity. The project was co-founded by Sam Altman, who also co-founded OpenAI, the developer behind ChatGPT. Altman expressed concerns about AI bots potentially impersonating humans, which motivated his involvement in creating Worldcoin.
Privacy advocates have raised concerns about Worldcoin, particularly regarding the potential risk of users’ iris scans being compromised by hackers or governments. These scans could potentially expose all activities associated with a person’s World ID.
According to the Worldcoin report, Trail of Bits initiated its assessment on August 14, 2023. The security firm evaluated version 3.1.10 of the software, which was frozen for assessment purposes on July 8, 2023. The current version is 4.0.34.
During the six-week investigation, the auditors analyzed the code for any potential vulnerabilities, considering various attack vectors that hackers could exploit to access a user’s iris scan. Ultimately, they concluded that no vulnerabilities in the Orb’s code could be directly exploited in relation to the project’s goals. The auditors specifically highlighted that an attacker would not be able to obtain a user’s iris code unless they had control over one of the trusted certificates. They stated:
“The Orb’s code does not contain vulnerabilities that can be directly exploited to compromise the user’s iris code, as long as the attacker does not possess one of the trusted certificates.”
The auditors did, however, make two recommendations to enhance the Orb’s security. Firstly, they recommended strengthening the configuration for the signup process to prevent any future changes from introducing security issues. Secondly, they suggested replacing the ZBar library, used for QR code scanning during signup, with a pure Rust version. The auditors believed that ZBar might have memory safety issues that could potentially expose configuration data, such as the user’s “data custody choice.” The Worldcoin team implemented both recommendations.
The debate surrounding Worldcoin’s privacy practices is expected to continue. On March 6, the Spanish Agency for the Protection of Data issued an injunction against the project, stating the need to investigate allegations of data protection law violations. In response, Worldcoin asserted that it had not violated any laws and accused the Spanish government of bypassing EU law by issuing the injunction.