Patched Worldcoin bug could have made Orbs vulnerable to remote takeovers: CertiK
The issue was reported about a month before launch and was quickly patched.
The bug, before it was patched, would have allowed an attacker to bypass verification procedures to become an operator of Orbs. Those Orbs are Worldcoin’s eye-scanning devices and are installed in public locations around the world.
This means the attacker would not need to exist as a company, have proper ID verification, or undergo a vetting interview to act as an operator, according to CertiK.
CertiK said it informed Worldcoin of the issue before the latest public announcement and stated that the project had patched the vulnerability. CertiK added that it has verified and confirmed that the fix entirely prevents the threat. The security firm also said it will post further details of the vulnerability and the patch.
Worldcoin separately acknowledged the issue in a statement to CryptoSlate but emphasized that the vulnerability was never exploited in practice.
Worldcoin said that the issue “did not allow anyone to bypass the manual review for establishing an Operator account” and said that “at no point was access to Orbs or data enabled through the bug.” It added that the issue was resolved within 24 hours.
The company added that CertiK is not an official auditor but thanked it for its contribution and invited others to submit similar security findings.
Bug was reported one month before launch
CertiK said that it informed Worldcoin of the security issue on May 29, about one month prior to the project’s public launch on July 24.
Worldcoin’s launch saw some success, with early gains in WLD token prices and seemingly high enrollment rates. Much of Worldcoin’s popularity appears to be based on the involvement of Sam Altman, best known as the CEO of OpenAI — the company behind the popular ChatGPT chatbot.
Despite Worldcoin’s popularity, the project is highly controversial due to the risks of having a company control vast amounts of user biometrics data. The fact that Worldcoin experienced an early security issue will unlikely inspire confidence in critics.