Worldcoin flaw allowed anyone to become an orb operator
In late May, CertiK, a blockchain audit firm, discovered a serious security flaw in Worldcoin’s code that would have allowed an unapproved user to gain access and become an Orb operator, bypassing the strict verification process.
With this flaw, CertiK adds, the intruder would have easily circumvented Worldcoin’s rigorous onboarding criteria for becoming an Orb operator.
Becoming an Orb operator is stringent and involves ID verification, vetting interviews, and meeting specific company requirements. For instance, a verified Orb operator must operate a licensed local business and have a team to onboard people, those who scan their iris, to the Worldcoin ecosystem. Orb operators are compensated in stablecoins or fiat.
If the flaw had gone unnoticed, individuals who have not been properly identified or vetted may have been able to become Orb operators and gather sensitive iris information from users.
CertiK said Worldcoin’s security team promptly acted, validating the vulnerability and implementing a fix to eliminate the threat.
On July 28, Worldcoin published a comprehensive security audit report.
The Worldcoin protocol underwent an audit by cybersecurity firms, Nethermind and Least Authority, which identified several weaknesses.
They analyzed vulnerable areas, developed strategies to protect against harmful actions and attacks, and advised implementing defenses against malicious activities and exploitation.
The Nethermind audit, for instance, revealed 26 protocol issues, most of which were successfully addressed during the verification process. The remaining were acknowledged and dealt with. On the other hand, Least Authority picked out three problems and suggested six solutions.
Worldcoin has acted diligently, resolving or planning to address all identified issues per their commitment to maintaining a secure system.
This week, Kenya suspended all Worldcoin activities in the country. They want to check for risks to the public and how data might be used.
On the other hand, Worldcoin said they stopped services in Kenya to manage high demand but will work with local officials to explain their privacy measures.
Despite this, Ricardo Macieira from Tools for Humanity, the group behind Worldcoin, said they’ll continue expanding where they’re welcomed.
Germany, France, and the UK are investigating Worldcoin and determining whether they comply with their data rules.