Cloud Hosting

Crypto security firm CertiK revealed it recently unearthed a vulnerability in the Worldcoin protocol that allowed an attacker to bypass the verification process to become an Orb operator.

According to CertiK, this vulnerability would have reportedly enabled anyone to circumvent the verification requirements to become a Worldcoin Orb operator. The individual wouldn't be obligated, for instance, to be a legitimate company, undergo proper ID verification, or pass a vetting interview.

In a normal case, only legit businesses that pass the Worldcoins strict identification verification process can run an Orb operation, which collects users iris information, reads CertiKs thread.

The security firm stated that it reported the issue to Worldcoin through a standard whitehat disclosure procedure, after which the projects security team confirmed the vulnerability and promptly issued a fix.

CertiK, in turn, reportedly verified and confirmed that the fix mitigated the threat. The security company added that it will make details of the finding and how the vulnerability was mitigated public at some point in future.

On May 29, CertiKs Security Team reported a bug to Worldcoin that could allow an attacker to create an inactive Operator account," a Worldcoin spokesperson told Decrypt. "The bug did not allow anyone to bypass the manual review for establishing an Operator account and at no point was access to Orbs or data enabled through the bug. The Worldcoin security team acknowledged and fixed the issue within 24 hours of receipt of information from CertiK and verified that it has not been abused."

Its worth noting that CertiKs revelation just a week after Worldcoin released a report on security audits of the Worldcoin protocol conducted by audit firms Nethermind and Least Authority.

These audits covered an extensive number of areas, including vulnerabilities in the code leading to adversarial actions and other attacks, as well as protection against malicious attacks and other methods of exploitation.

The Nethermind audit flagged 26 items during its security assessment, of which 24 were identified as fixed after the verification stage, while one was mitigated and the remaining one was acknowledged.

Least Authority identified three issues in the protocol and offered six suggestions, all of which have either been resolved or have planned resolutions, according to Worldcoin.

CertiK didnt immediately respond to Decrypts requests for comment.

Launched earlier this summer, Worldcoin is a crypto project aimed at establishing a novel global identity and financial network centered around iris scans.

The company claims that these World IDs will be crucial as artificial intelligence becomes more influential, allowing humans to prove they aren't robots.

To participate in this network, individuals are required to have their irises scanned using a device known as the Orb. As an incentive, users are rewarded with the project's native WLD token in exchange for their iris scan.

The project has sparked several concerns regarding data privacy and security. Critics, including famed whistleblower Edward Snowden and Ethereum co-founder Vitalik Buterin, argue that Worldcoin might be gathering an excessive amount of personal data, which could potentially be misused for malicious purposes.

There are also apprehensions about the security of the irisas Buterin pointed out in his recent blog post, Orbs are hardware devices where backdoors could be installed into the system, allowing malicious manufacturers to create multiple fake human identities.

MIT Technology Review has also accused Worldcoin of engaging in deceptive marketing practices and gathering a larger amount of personal data than initially disclosed.

In response to these concerns, Worldcoin has asserted its commitment to safeguarding user privacy.

The companys website states the project is fully compliant with all laws and regulations governing biometric data collection and data transfer, including Europes General Data Protection Regulation ('GDPR').

The firm added that the Worldcoin Foundation and its contributor Tools for Humanity never have and never will sell any personal data.

Go here to see the original:

Worldcoin Bug Allowed Anyone to Become Orb Operator: CertiK - Decrypt