Blockchain Security Firm CertiK Reveals Vulnerability in Worldcoin Protocol Allowing Unverified Orb Operator Access
Blockchain security firm CertiK has disclosed a vulnerability in the Worldcoin protocol that allowed unauthorized access for an Orb operator.
In a recent Twitter thread, CertiK explained that the vulnerability allowed anyone to bypass the verification requirements to become an Orb operator without meeting the necessary criteria, such as being a legitimate company or passing a vetting interview.
“Through this security vulnerability, a malicious attacker could bypass the verification and strict participation criteria of the Worldcoin Operator acceptance process,” the company wrote.
The usual process allows only legitimate businesses that pass strict identification verification to run an Orb operation, which collects users’ iris information.
3/ In a normal case, only legit businesses that pass the WorldCoin’s strict identification verification process can run an Orb operation, which collects user’s iris information.
— CertiK (@CertiK) August 3, 2023
WorldCoin’s security team confirmed the security vulnerability and promptly issued a fix.
CertiK said it reported the issue to Worldcoin through a whitehat disclosure procedure, and the project’s security team quickly addressed the vulnerability with a fix.
“CertiK has since verified and confirmed that the fix mitigated the threat,” the company wrote.
Notably, CertiK’s disclosure comes just a week after Worldcoin released a report on security audits conducted by Nethermind and Least Authority.
The audits covered various areas, including vulnerabilities in the code that could lead to adversarial actions and other attacks, as well as protection against malicious attacks and exploitation methods.
Nethermind’s audit identified 26 items during the security assessment, of which 24 were fixed after the verification stage, one was mitigated, and one was acknowledged.
On the other hand, Least Authority discovered three issues in the protocol and provided six suggestions, all of which have either been resolved or have planned resolutions, according to Worldcoin.
Worldcoin Faces More Issues Amid Kenya Suspension
Last week, Kenya’s Ministry of the Interior issued a decree suspending Worldcoin signup, citing concerns about its activities’ authenticity, legality, security, financial services, and data protection.
In an official announcement, the ministry said relevant agencies had begun investigating the project.
“Relevant security, financial services and data protection agencies have commenced inquiries and investigations to establish the authenticity and legality of the aforesaid activities,” interior minister Kithure Kindiki said at the time.
The government has suspended the activities of Worldcoin in Kenya until relevant agencies in Kenya establish their are no risks to the general public: pic.twitter.com/FuPhNtw2Ht
— Mwango Capital (@MwangoCapital) August 2, 2023
Worldcoin, co-founded by OpenAI CEO Sam Altman and valued at over $2 billion, aims to create a “proof-of-personhood” network by registering verified humans through eyeball scans.
The project has already received notable criticism since its debut.
Since Worldcoin scans people’s irises and eyes to ensure that the crypto is distributed fairly, some have expressed privacy and security concerns.
The collection of biometric data has also raised questions about how this sensitive information will be stored, protected, and potentially used.
Furthermore, some have questioned Worldcoin’s methods of obtaining consent.
A 2022 investigation by MIT Review found that Worldcoin used deceptive marketing practices, collected more personal data than disclosed, and failed to obtain meaningful informed consent.
Just recently, it was revealed that European regulators, including the French National Commission on Informatics and Liberty (CNIL) and the Bavarian state authority in Germany, are collaborating with an investigation into the project.
