Trail of Bits completes Worldcoin security audits, finds no vulnerabilities
Cybersecurity firm Trail of Bits has concluded the audit of Worldcoin’s ORB technology and found that it adheres to stringent privacy protocols, particularly in how it processes and stores personally identifiable information (PII).
The full report was released on March 13 and revealed that there are no vulnerabilities in the ORB software and validated many of the claims made by Worldcoin.
The audit was initiated on Aug. 14, 2023, after multiple regulators across the globe raised concerns about Worldcoin’s biometric data collection, with some outright banning its operations.
The audit
Trail of Bits’ audit aimed to meticulously examine the orb’s software, particularly focusing on its handling of personally identifiable information (PII) and the management of users’ iris codes.
During the default opt-out signup flow, the orb collects no PII except for the iris code, which is neither written to persistent storage nor leaves the orb. In scenarios where users opt-in, their PII is encrypted on the orb’s SSD in a manner that even the orb itself cannot decrypt — showcasing a robust approach to data privacy.
Moreover, the audit verified that the orb does not extract additional sensitive data from a user’s device, with the only information collected being from a QR code. This ensures a minimal data collection approach, aligning with privacy best practices.
Importantly, the iris code, a critical piece of biometric data, is handled securely throughout its collection and transmission process, effectively mitigating the risk of unauthorized access or interception.
Recommendations
The audit also highlighted areas for improvement, recommending additional hardening of the orb’s software and hardware configurations to bolster security further.
In response, Worldcoin has implemented changes, including replacing a vulnerable library used for QR code scanning with a more secure alternative.
The Trail of Bits audit represents just one part of Worldcoin’s ongoing efforts to ensure the security and privacy of its technology. With the ORB technology being central to the Worldcoin project’s mission to provide a universal basic income, these rigorous security assessments are crucial for maintaining user trust and project integrity.
Recognizing the importance of transparency and community engagement, Worldcoin has invited public participation in its bug bounty program and plans to share future audit reports as they become available.