Decrypt’s Art, Fashion, and Entertainment Hub.
Crypto security firm CertiK revealed it recently unearthed a vulnerability in the Worldcoin protocol that allowed an attacker to bypass the verification process to become an Orb operator.
According to CertiK, this vulnerability would have reportedly enabled anyone to circumvent the verification requirements to become a Worldcoin Orb operator. The individual wouldn't be obligated, for instance, to be a legitimate company, undergo proper ID verification, or pass a vetting interview.
“In a normal case, only legit businesses that pass the Worldcoin’s strict identification verification process can run an Orb operation, which collects user’s iris information,” reads CertiK’s thread.
The security firm stated that it reported the issue to Worldcoin through “a standard whitehat disclosure” procedure, after which the project’s security team confirmed the vulnerability and “promptly issued a fix.”
1/ On May 29th, CertiK reported a security vulnerability to #WorldCoin’s security team that could potentially allow an attacker to become an Orb operator by bypassing the verification process.
— CertiK (@CertiK) August 3, 2023
CertiK, in turn, reportedly verified and confirmed that the fix mitigated the threat. The security company added that it will make details of the finding and how the vulnerability was mitigated public “at some point in future.”
“On May 29, CertiK’s Security Team reported a bug to Worldcoin that could allow an attacker to create an inactive Operator account," a Worldcoin spokesperson told Decrypt. "The bug did not allow anyone to bypass the manual review for establishing an Operator account and at no point was access to Orbs or data enabled through the bug. The Worldcoin security team acknowledged and fixed the issue within 24 hours of receipt of information from CertiK and verified that it has not been abused."
It’s worth noting that CertiK’s revelation just a week after Worldcoin released a report on security audits of the Worldcoin protocol conducted by audit firms Nethermind and Least Authority.
These audits covered an extensive number of areas, including vulnerabilities in the code leading to adversarial actions and other attacks, as well as protection against malicious attacks and other methods of exploitation.
The Nethermind audit flagged 26 items during its security assessment, of which 24 were identified as fixed after the verification stage, while one was mitigated and the remaining one was acknowledged.
Least Authority identified three issues in the protocol and offered six suggestions, all of which have either been resolved or have planned resolutions, according to Worldcoin.
CertiK didn’t immediately respond to Decrypt’s requests for comment.
Concerns around Worldcoin
Launched earlier this summer, Worldcoin is a crypto project aimed at establishing a novel global identity and financial network centered around iris scans.
The company claims that these World IDs will be crucial as artificial intelligence becomes more influential, allowing humans to prove they aren't robots.
To participate in this network, individuals are required to have their irises scanned using a device known as the Orb. As an incentive, users are rewarded with the project's native WLD token in exchange for their iris scan.
The project has sparked several concerns regarding data privacy and security. Critics, including famed whistleblower Edward Snowden and Ethereum co-founder Vitalik Buterin, argue that Worldcoin might be gathering an excessive amount of personal data, which could potentially be misused for malicious purposes.
There are also apprehensions about the security of the iris—as Buterin pointed out in his recent blog post, Orbs are hardware devices where backdoors could be installed into the system, allowing malicious manufacturers to create multiple fake human identities.
MIT Technology Review has also accused Worldcoin of engaging in deceptive marketing practices and gathering a larger amount of personal data than initially disclosed.
In response to these concerns, Worldcoin has asserted its commitment to safeguarding user privacy.
The company’s website states the project “is fully compliant with all laws and regulations governing biometric data collection and data transfer, including Europe’s General Data Protection Regulation ('GDPR').”
The firm added that “the Worldcoin Foundation and its contributor Tools for Humanity never have and never will sell any personal data.”