ROUGH WEEK FOR WORLDCOIN
Between vulnerabilities in its “Orb” eye-scanning device code, and a national ban from operating in Kenya, Worldcoin had a less than stellar week.
The blockchain project headed by Sam Altman, co-founder of OpenAI and the wildly successful ChatGPT generative AI platform, officially launched in late July following years of development.
The stated goal of Worldcoin is to reward humans for verifying their humanness via digital eye scanning with an “Orb” device, and issuing them a digital ID.
The ID could theoretically be used in a wide range of activities and purposes, though much of that ecosystem doesn’t yet exist.
But recent audits by several firms showed multiple vulnerabilities in Worldcoin code.
It’s especially concerning, considering the biometric data that the project collects.
Security firm CertiK issued a statement about a Orb vulnerability it found, saying in part:
“On May 29th, CertiK reported a security vulnerability to #WorldCoin’s security team that could potentially allow an attacker to become an Orb operator by bypassing the verification process.
“Through this security vulnerability, a malicious attacker could bypass the verification and strict participation criteria of the #Worldcoin Operator acceptance process. Meaning it would not need to be a company, have proper ID verification, or have a vetting interview.
“In a normal case, only legit businesses that pass the WorldCoin’s strict identification verification process can run an Orb operation, which collects user’s iris information.”
CertiK noted that once alerted, Worldcoin’s security team confirmed and quickly patched the vulnerability.
Just a few weeks ago, Worldcoin released info concerning security audits it enlisted from Nethermind and Least Authority, that found 26 vulnerabilities.
As reported by CryptoNews.com, 24 of the 26 problems were fixed, one was mitigated, and one was “acknowledged.” (“Blockchain Security Firm CertiK Reveals Vulnerability in Worldcoin Protocol Allowing Unverified Orb Operator Access,” 5 Aug 2023.)
On the uptake side, at least one country has balked at Worldcoin’s efforts to entice people to sign up for its digital ID.
Kenya, via its Ministry of the Interior, announced that Worldcoin was suspended from operating within its borders, pending a closer look into various aspects of the project.
A statement from interior minister Kithure Kindiki said:
“Relevant security, financial services and data protection agencies have commenced inquiries and investigations to establish the authenticity and legality of the aforesaid activities.”
Worldcoin is not currently making itself available to U.S. citizens, likely out of regulatory concerns.
For related reading, see: