Trail of Bits completes Worldcoin security audit
The audit was conducted in August 2023 after multiple regulators across the globe raised concerns about Worldcoin's biometric data collection.
Cybersecurity firm Trail of Bits has concluded the audit of Worldcoin’s ORB technology and found that it adheres to stringent privacy protocols, particularly in how it processes and stores personally identifiable information (PII), in the areas it reviewed.
However, the firm also found 12 vulnerabilities in the software โ including one issue that was deemed severe โ that could “theoretically” compromise Worldcoin’s privacy and security claims.
Trail of Bits reviewed Worldcoin’s validation specificities and found one high, three medium, one low, six informational, and one undetermined severity issue.
The full report was released on March 14 and validated many of the claims made by Worldcoin. It also suggested improvements for the issues found by the audit.
The audit was conducted between Aug. 7, 2023, and Aug. 27, 2023, after multiple regulators across the globe raised concerns about Worldcoin’s biometric data collection, with some outright banning its operations.
Worldcoin said the audit did not find vulnerabilities that could directly affect the integrity of its ORB software and has already resolved the high-severity issue flagged by the report.ย The fix was implemented after the review period had concluded and is different from the one suggested by the audit.
The audit
Trail of Bits’ audit aimed to meticulously examine the orb’s software, particularly focusing on its handling of personally identifiable information (PII) and the management of users’ iris codes.
During the default opt-out signup flow, the orb collects no PII except for the iris code, which is neither written to persistent storage nor leaves the orb. In scenarios where users opt-in, their PII is encrypted on the orb’s SSD in a manner that even the orb itself cannot decrypt โ showcasing a robust approach to data privacy.
Moreover, the audit verified that the orb does not extract additional sensitive data from a user’s device, with the only information collected being from a QR code.ย This ensures a minimal data collection approach, aligning with privacy best practices.
Importantly, the iris code, a critical piece of biometric data, is handled securely throughout its collection and transmission process, effectively mitigating the risk of unauthorized access or interception.
Recommendations
The audit also highlighted areas for improvement, recommending additional hardening of the orb’s software and hardware configurations to bolster security further.
In response, Worldcoin has implemented changes, including replacing a vulnerable library used for QR code scanning with a more secure alternative.
The fix is different from the one suggested by Trail of Bits, which involved fixing the bugs found in the “ZBar library.” However, Worldcoin chose to replace the ZBar library with the “rxing library” to fix the issue.
The fix was deployed outside the audit window, and Trail of Bits did not review the rxing library.
The Trail of Bits audit represents just one part of Worldcoin’s ongoing efforts to ensure the security and privacy of its technology. With the ORB technology being central to the Worldcoin project’s mission to provide a universal basic income, these rigorous security assessments are crucial for maintaining user trust and project integrity.
Recognizing the importance of transparency and community engagement, Worldcoin has invited public participation in its bug bounty program and plans to share future audit reports as they become available.
**Editor’s Note** The Article was updated on March 15 to include nuanced details about the audit and the fix deployed by Worldcoin.