Worldcoin, the Human Identity Project, has received a third-party audit for its Orb software, as stated in a draft report from the development team. Trail of Bits, the auditing firm, conducted the assessment and found no vulnerabilities in the Orb software that could be exploited in relation to the project’s goals. The full report from Trail of Bits is set to be published on March 14, according to Worldcoin.
Worldcoin allows individuals to verify their humanity by registering with their phone number, email address, or by having their iris scanned using the Orb device. Upon registration, users receive a “World ID” that serves as proof of their human identity. The project was co-founded by Sam Altman, who also co-founded OpenAI, the developer of ChatGPT. Altman expressed concerns about the potential for artificial intelligence bots to convincingly impersonate humans, which motivated him to create Worldcoin.
Privacy advocates have raised concerns about Worldcoin, particularly regarding the risk of hackers or governments gaining access to users’ iris scans. These scans could potentially expose all the activities associated with a person’s World ID.
According to the report, Trail of Bits began its assessment on August 14, 2023, using version 3.1.10 of the software, which was frozen for evaluation purposes on July 8, 2023. The current version is 4.0.34, as stated in the report.
The auditors spent six weeks investigating the code for potential vulnerabilities, considering various attack vectors that could enable a hacker to obtain a user’s iris scan. However, they concluded that no vulnerabilities in the Orb’s code could be directly exploited in relation to the project’s goals. Specifically, the auditors stated that an attacker would need control of one of the trusted certificates to obtain a user’s iris code.
The report mentioned two recommendations made by the auditors to enhance the Orb’s security. The first recommendation was to strengthen the configuration for the signup process to prevent security issues from arising in future changes. The Worldcoin team implemented this recommendation. The second recommendation was to address a bug in the ZBar library, used for scanning QR codes during signup, which the auditors found to have memory safety issues that could potentially leak configuration data. In response, the Worldcoin team replaced the ZBar library with a pure Rust version.
The debate surrounding Worldcoin’s privacy practices is expected to continue. On March 6, the Agency for the Protection of Data in Spain issued an injunction against the project, stating that it needed time to investigate allegations of data protection law violations. However, Worldcoin defended its actions, claiming that it did not breach these laws and that the Spanish government’s injunction was circumventing EU law.
Update 4:18 pm UTC on March 18: This article has been updated to provide clarification regarding the vulnerability of the ZBar library.