The controversial Worldcoin project had a serious security vulnerability, CertiK has disclosed on X (formerly known as Twitter). Worldcoin pays people to become part of its World ID ecosystem by submitting scans of their irises through a device Worldcoin calls an Orb.
According to security platform CertiK, the vulnerability in the vetting process for operators could have allowed an attacker to bypass the verification process and operate an Orb without being interviewed or having a proper ID. “It would not need to be a company,” according to the post.
1/ On May 29th, CertiK reported a security vulnerability to #WorldCoin’s security team that could potentially allow an attacker to become an Orb operator by bypassing the verification process.— CertiK (@CertiK) August 3, 2023
CertiK reported the vulnerability to the Worldcoin (WLD) security team as a “standard whitehat disclosure,” and it has been fixed, it said. The discovery of the vulnerability could add fuel to the worldwide controversy surrounding the project’s privacy and data use.
Critics have already suggested that the project, launched by OpenAI founder Sam Altman and intended to support its World App wallet by filtering out bots, is ethically questionable and contains the makings of a “dystopian nightmare.” The project is not open-source. Regulators have been skeptical as well.
The project depends on mass adoption for its success. Millions of people around the world have eagerly lined up for the opportunity to sell their retinal data for around $50. Observers have speculated that the project has not gained the support it was hoping for, but its momentum has not diminished.
HERE WE GO FOLKS: Hundreds of youth voluntarily line-up to have their eyeballs scanned with a Worldcoin orb to get their new digital ID with “free money” Worldcoins in their new digital wallet. This is exactly how #CBDC will be rolled out globally…— Patrick Henningsen (@21WIRE) July 26, 2023
“CertiK is not an official auditor of Worldcoin and we thank them for their contribution,” a Worldcoin spokesperson told Cointelegraph.
The spokesman said the bug “could allow an attacker to create an inactive Operator account. The bug did not allow anyone to bypass the manual review for establishing an Operator account and at no point was access to Orbs or data enabled through the bug. The Worldcoin security team acknowledged and fixed the issue within 24 hours of receipt of information from CertiK and verified that it has not been abused.”
The project claimed to be attracting 400,000 new users per week in mid-July, and that number has increased to over 545,000 at the time of writing, according to the project’s website, for a total of over 2,188,000. It recorded a daily average of over 193,000 wallet transactions over the past seven days.
The website also stated that 366 orbs have been active in the last week, and 2,000 of them have been manufactured.