Worldcoin: Trail of Bits audit shows no vulnerability for Orb software

cyptouser8 months agoCryptocurrencies News148
b98df8a0>

Human identity project Worldcoin has obtained a third-party audit of its Orb software, according to a draft of a March 14 report from the development team seen by Cointelegraph. The audit was performed by Trail of Bits, which claimed to have found no vulnerabilities that “can be directly exploited in relation to the Project Goals as described,” the report stated. The full Trail of Bits report is expected to be published on March 14, according to an emailed statement from Worldcoin.

Worldcoin allows people to verify their humanity by registering with a phone number or email address or by having their iris scanned by an Orb device. When a user performs this registration, they obtain a “World ID” that can be used to prove they are an actual human. The project was co-founded by Sam Altman, who also co-founded ChatGPT developer OpenAI. Altman claimed that he helped to create Worldcoin out of fear that artificial intelligence (AI) bots may soon be able to pose as humans effectively.

Source: Worldcoin on X

Privacy advocates have criticized Worldcoin on the grounds that it risks leaking users’ iris scans to hackers or governments. These iris scans could potentially be used to reveal all of the activity a person performs with their World ID.

Related: Spanish court denies Worldcoin’s injunction request against regulator

According to the report from Worldcoin, Trail of Bits began its assessment on Aug. 14, 2023. The security firm was given version 3.1.10, which was “frozen” for assessment purposes on July 8, 2023. The current version is 4.0.34, the report stated.

The auditors reportedly spent six weeks investigating the code for any potential vulnerabilities. They considered several attack vectors that a hacker could use to obtain a user’s iris scan but ultimately concluded that “our analysis did not uncover vulnerabilities in the Orb’s code that can be directly exploited in relation to the Project Goals as described.” Specifically, the auditors concluded that an attacker could not obtain the user’s iris code unless the attacker has control of one of the trusted certificates. They reportedly stated:

“We believe the iris code is not written to persistent storage on the Orb and that it is included only in a single request to the Orb’s back end [...] [W]hile this configuration can be improved to make it more secure (TOB-ORB-10), it should not be possible for typical attackers to extract the iris code from the Orb’s network traffic; the attacker would have to be in control of one of the trusted certificates.”

According to the report, the auditors did make two recommendations to improve the Orb’s security. The first was to “harden” the configuration for the signup flow to ensure that future changes do not introduce security issues. The second was to replace the ZBar library used to scan QR codes during signup with a pure Rust version. The auditors claimed that ZBar might have “memory safety” issues that could leak configuration data, such as the user’s “data custody choice,” if this change was not made. The Worldcoin team implemented both of the suggested changes, the report stated.

The debate over Worldcoin’s privacy practices may continue for some time. On March 6, Spain’s Agency for the Protection of Data issued an injunction against the project, claiming that the agency needed time to investigate claims that Worldcoin violated data protection laws. In response, Worldcoin claimed that it did not violate these laws and that the Spanish government was “circumventing EU law” by issuing the injunction.

The content on this website comes from the Internet. Due to the inconvenience of proofreading the authenticity and accuracy of the copyright or content of some content, it may be temporarily impossible to confirm the authenticity and accuracy of the copyright or content. For copyright issues or other issues caused by this, please Call or email this site. It will be deleted or changed immediately after verification.

related articles

CertiK discovered $5M security flaw in Wormhole bridge on Aptos

CertiK discovered $5M security flaw in Wormhole bridge on Aptos

55966e89˃A security flaw in the Wormhole bridge on Aptos network could have resulted in $5 million w...

Dune launches enterprise solution Catalyst to streamline blockchain data integration

Dune, a prominent web3 data analytics platform, has introduced Dune Catalyst, an enterprise solution...

Binance exec arrested in Kenya, could face extradition to Nigeria: Report

1205f261˃Nadeem Anjarwalla, a British and Kenyan national who works at cryptocurrency exchange Binan...

SushiSwap proposes shift to 'Labs model' in DAO shake up amid social drama

SushiSwap’s head chef, Jared Grey, said the ongoing controversy surrounding the protocol’s proposed...

Legal fees skyrocket in high-profile crypto bankruptcies

55966e89˃Cryptocurrency bankruptcy lawyers and advisers at major law firms have amassed over $700 mi...

Pro-Bitcoin U.S. presidential candidate Francis Suarez suspends campaign

Pro-Bitcoin U.S. presidential candidate Francis Suarez suspends campaign

Francis Suarez, the pro-Bitcoin (BTC) Mayor of Miami, suspended his campaign for the Presidential se...