- Blockchain security firm CertiK mitigated a major Worldcoin vulnerability that could have let an attacker bypass verification.
- Following CertiK’s report, Worldcoin’s security team confirmed the vulnerability and promptly issued a fix.
- Worldcoin faced data privacy concerns in Kenya, leading to a halt in user registration and an investigation into the company’s data handling practices.
A significant security vulnerability was recently detected and reported in the cryptocurrency project Worldcoin by CertiK, a renowned blockchain security audit firm. This flaw could have potentially allowed a malicious entity to bypass the verification process and become an Orb operator without satisfying the necessary prerequisites.
In a series of tweets, CertiK elaborated on the potential consequences of this security vulnerability:
1/ On May 29th, CertiK reported a security vulnerability to #WorldCoin’s security team that could potentially allow an attacker to become an Orb operator by bypassing the verification process.
— CertiK (@CertiK) August 3, 2023
The firm clarified that an attacker could have circumvented the stringent participation requirements of the Worldcoin Operator acceptance process. This would mean that the attacker wouldn’t need to be a recognized business, possess proper ID verification, or undergo a vetting interview, which is typically obligatory for operating an Orb.
Upon receiving the report, Worldcoin’s security team acknowledged the vulnerability and swiftly issued a corrective measure. CertiK later confirmed that the fix had effectively neutralized the threat. The security firm noted that the specifics of the discovery and the manner in which the vulnerability was addressed would be disclosed at a later date.
In a related development, the Kenyan government has instructed Worldcoin to cease the registration of new users, citing concerns over data privacy. Worldcoin, the brainchild of US tech entrepreneur Sam Altman, provides free crypto tokens to individuals willing to have their eyeballs scanned.
Under the direction of Kithure Kindiki, the Kenyan Ministry of the Interior has commenced an investigation into Worldcoin. Security services and data protection agencies have been urged to confirm the project’s authenticity and adherence to legal standards.
In response, Worldcoin has announced plans to introduce crowd-control measures and collaborate with the government prior to resuming operations. The company has also maintained that it does not store any data and complies with Kenyan regulations.
Worldcoin has also been launched in several countries, including Indonesia, France, Japan, Germany, Spain, and the UK. Data protection authorities in some of these countries have already begun scrutinizing Worldcoin. The company purports to be establishing a new global “identity and financial network,” but it remains to be seen how it will tackle the intricate issues of data privacy and security.