CertiK has revealed a significant security vulnerability in the controversial Worldcoin project, as it disclosed on social media platform X. The Worldcoin initiative offers a financial incentive for individuals to join its World ID ecosystem, requiring them to submit their iris scans using a device known as an Orb.
A security flaw in the operator vetting process of the Worldcoin project, as highlighted by CertiK's security platform, could have allowed an attacker to bypass verification and operate an Orb without the need for an interview or proper ID. Notably, this entity operating the Orb need not be a company, as stated in the post.
1/ On May 29th, CertiK reported a security vulnerability to #WorldCoin’s security team that could potentially allow an attacker to become an Orb operator by bypassing the verification process.
— CertiK (@CertiK) August 3, 2023
CertiK identified the vulnerability and promptly reported it to the Worldcoin security team as part of a "standard whitehat disclosure" process. The issue has since been addressed and resolved. This discovery could further contribute to the ongoing global discussions regarding the project's privacy and data usage controversies.
Amid concerns voiced by critics, including ethical uncertainties and comparisons to a "dystopian nightmare," the Worldcoin initiative, led by OpenAI founder Sam Altman, has stirred controversy. Designed to bolster the World App wallet's functionality through bot filtration, the non-open-source project has also faced skepticism from regulatory bodies. Its success hinges on widespread adoption, and although it has encountered scrutiny, millions globally have expressed interest in exchanging their retinal data for approximately $50. Despite these challenges, the project continues to maintain momentum.
HERE WE GO FOLKS: Hundreds of youth voluntarily line-up to have their eyeballs scanned with a Worldcoin orb to get their new digital ID with “free money” Worldcoins in their new digital wallet. This is exactly how #CBDC will be rolled out globally…
— Patrick Henningsen (@21WIRE) July 26, 2023
pic.twitter.com/whWgxdg7lm
A representative from Worldcoin expressed gratitude for CertiK's contribution, noting that CertiK is not an official auditor for Worldcoin. Additionally, the spokesperson spoke about the bug:
It could allow an attacker to create an inactive Operator account. The bug did not allow anyone to bypass the manual review for establishing an Operator account and at no point was access to Orbs or data enabled through the bug. The Worldcoin security team acknowledged and fixed the issue within 24 hours of receipt of information from CertiK and verified that it has not been abused.
In mid-July, the project asserted its ability to draw in 400,000 new users weekly, a count that has surged to over 545,000 as indicated on the project's website at the moment of writing. This aggregates to a cumulative user base exceeding 2,188,000. Meanwhile, over the past seven days, a daily average of more than 193,000 wallet transactions was documented. The site also revealed that 366 orbs were active in the preceding week, with 2,000 new ones already manufactured.
