{"id":44844,"date":"2023-08-05T11:30:36","date_gmt":"2023-08-05T15:30:36","guid":{"rendered":"https:\/\/ifintechworld.com\/markets\/crypto\/blockchain-security-firm-certik-reveals-vulnerability-in-worldcoin-protocol-allowing-unverified-orb-operator-access\/"},"modified":"2023-08-05T11:30:38","modified_gmt":"2023-08-05T15:30:38","slug":"blockchain-security-firm-certik-reveals-vulnerability-in-worldcoin-protocol-allowing-unverified-orb-operator-access","status":"publish","type":"post","link":"https:\/\/ifintechworld.com\/?p=44844","title":{"rendered":"Blockchain Security Firm CertiK Reveals Vulnerability in Worldcoin Protocol Allowing Unverified Orb Operator Access"},"content":{"rendered":"
\n

Blockchain security firm\u00a0CertiK\u00a0<\/strong>has disclosed a vulnerability in the\u00a0Worldcoin\u00a0<\/strong>protocol that allowed unauthorized access for an Orb operator.\u00a0<\/p>\n

In a recent Twitter thread, CertiK explained that the vulnerability allowed anyone to bypass the verification requirements to become an Orb operator without meeting the necessary criteria, such as being a legitimate company or passing a vetting interview.\u00a0<\/p>\n

“Through this security vulnerability, a malicious attacker could bypass the verification and strict participation criteria of the Worldcoin Operator acceptance process,” the company wrote.\u00a0<\/p>\n

The usual process allows only legitimate businesses that pass strict identification verification to run an Orb operation, which collects users’ iris information.\u00a0<\/p>\n

<\/oembed><\/figure>\n

CertiK said it reported the issue to Worldcoin through a whitehat disclosure procedure, and the project’s security team quickly addressed the vulnerability with a fix.<\/p>\n

“CertiK has since verified and confirmed that the fix mitigated the threat,” the company wrote.<\/p>\n

Notably, CertiK’s disclosure comes just a week after Worldcoin released a report on security audits conducted by Nethermind and Least Authority.\u00a0<\/p>\n

The audits covered various areas, including vulnerabilities in the code that could lead to adversarial actions and other attacks, as well as protection against malicious attacks and exploitation methods.<\/p>\n

Nethermind’s audit identified 26 items during the security assessment, of which 24 were fixed after the verification stage, one was mitigated, and one was acknowledged.<\/p>\n

On the other hand, Least Authority discovered three issues in the protocol and provided six suggestions, all of which have either been resolved or have planned resolutions, according to Worldcoin.<\/p>\n

Worldcoin Faces More Issues Amid Kenya Suspension<\/h2>\n

Last week, Kenya\u2019s Ministry of the Interior\u00a0issued a decree\u00a0suspending Worldcoin signup, citing concerns about its activities\u2019 authenticity, legality, security, financial services, and data protection.\u00a0<\/p>\n

In an official announcement, the ministry said relevant agencies had begun investigating the project.<\/p>\n

\u201cRelevant security, financial services and data protection agencies have commenced inquiries and investigations to establish the authenticity and legality of the aforesaid activities,\u201d interior minister Kithure Kindiki said at the time.<\/p>\n

<\/oembed><\/figure>\n

Worldcoin, co-founded by OpenAI CEO Sam Altman and valued at over $2 billion, aims to create a \u201cproof-of-personhood\u201d network by\u00a0registering verified humans through eyeball scans.\u00a0<\/p>\n

The project has already received notable criticism since its debut.\u00a0<\/p>\n

Since Worldcoin scans people\u2019s irises and eyes to ensure that the crypto is distributed fairly, some have expressed privacy and security concerns.\u00a0<\/p>\n

The collection of biometric data has also raised questions about how this sensitive information will be stored, protected, and potentially used.<\/p>\n

Furthermore, some have questioned Worldcoin\u2019s methods of obtaining consent.\u00a0<\/p>\n

A 2022\u00a0investigation by MIT Review\u00a0found that Worldcoin used deceptive marketing practices, collected more personal data than disclosed, and failed to obtain meaningful informed consent.<\/p>\n

Just recently, it was revealed that\u00a0European\u00a0<\/strong>regulators, including the\u00a0French National Commission on Informatics and Liberty (CNIL)<\/strong>\u00a0and the\u00a0Bavarian state authority in Germany<\/strong>,\u00a0are collaborating\u00a0with an investigation into the project.\u00a0<\/p>\n<\/p><\/div>\n