October 20, 2022 By Sue Poremba 4 min read

“New and improved” is the refrain of progress, but new technology doesn’t always turn out to be an improvement. In the case of the evolution from Web2 to Web3, a former hacker revealed how recent changes have created an all-new avenue of potential attack.

Recent updates were intended to tighten security. “Due to blockchain technology and its autonomous structure, it will also be safer than prior internet versions,” explained the Spiceworks blog. “Hackers will find it exceedingly tough to exploit the network, and even if they do, their activities will be logged.”

Except, in this case, those “improvements” have created further concerns. The issue, for both consumers and businesses, is that the “secure” aspect of Web3 — the blockchain authentication of things like crypto wallets — can also pose a massive security problem.

A former hacker reveals new avenues of attack

Marcus Hutchins, a hacker-turned-security-pro, revealed new security weaknesses of Web3 in a social media video.

“Web3 has introduced a huge new attack surface,” Hutchins said in the video.

Hackers now have access to a 51% attack, which is an attack on blockchain by groups who control more than 50% of the blockchain. Those groups who take over 51% or more of the blockchain have all the power to control the network.

Hutchens explains that smart contracts, which didn’t exist in Web2, are another new issue. Smart contracts are programs stored on a blockchain that will run when predetermined conditions are met, according to IBM. They are used to execute agreements without intermediaries and automate workflows. The smart contracts are getting hacked, creating a new attack surface.

To assume that new technology is secure just because it hasn’t been hacked yet is a huge mistake, said Hutchins. All technology is susceptible to vulnerabilities and exploits and ignoring that just because something is branded as a more secure option opens up your organization and customers to untold risks.

What exactly is Web3?

To understand Web3’s security issues, we must understand what Web3 is. The term was first coined almost a decade ago by Gavin Wood, who developed one of the earliest and more successful cryptocurrencies, Ethereum. It is a decentralized technology, built on blockchain that allows users to have control over their own data and is meant to replace any internet interactions with traditional platforms.

Web3 aims to enhance the user experience by putting the user in charge of content. Without the need for a third-party platform to facilitate content, users will have control over their own data, improving privacy and giving them the choice of monetizing their personal information (rather than being sold and monetized by someone else). 

Web3 fundamentally differs from Web2, explained Spiceworks. Web2 focuses on reading and writing content, while Web3 is about creating content while increasing trust. This trust is supposed to expand into better security and privacy, but the reality is less optimistic.

Expanding the attack surface

While blockchain hardens infrastructure against potential cyberattacks, it doesn’t close the door to all types of risks, including some unique to Web3.

Examining the potential of Web3 — and the potential nightmares — Forrester researched the new technology, determining that there are two primary issues with Web3. It’s currently dominated by opportunists and investors in cryptocurrencies and various digital assets, particularly non-fungible tokens (NFTs), all operating within a largely unregulated environment. The second issue is that the core principles of Web3 simply aren’t applicable in today’s internet ecosystem.

“Web3 applications (including NFTs) aren’t just vulnerable to attack, they often present a broader attack surface (due to the distributed nature of blockchains) than conventional applications do,” Forrester reported.

The apps are prime targets for threat actors, Forrester added, because the tokens have a monetary value. They are prime targets for attack because the source code running on the blockchain is easily accessible. It’s not protected by the type of security systems that protect an organization’s infrastructure. Instead, all a hacker needs are good technical skills, and they are in.

“Source code is typically also easily available, as running closed source ‘smart contracts’ is frowned upon. The Web3 ethos is, after all, ‘open code,'” Martha Bennett, Forrester Vice President and Principal Analyst and a co-author of the report, told TechNewsWorld.

Balancing user experience and security concerns

Digital wallets will be the key to data privacy and security in a Web3 world. Just like a physical wallet holds everything a consumer needs — identification cards and various forms of currency — a digital wallet holds the same information, but with one big difference. The user gets to decide who supplies the contents of the wallet, such as the type of cryptocurrency or identifying credentials.

By putting control back in the hands of the user, organizations are expecting Web3 to improve overall consumer relations and develop loyalty between customer and brand. Decades of data breaches, identity theft and information misuse have taken their toll on consumer/corporate relations.

However, there is a big difference between a physical wallet and a digital wallet. If the physical wallet goes missing, the owner might lose the cash but replace the credit cards, driver’s license and other pieces of identification. That’s not the case with a digital wallet, where all assets are gone for good if an attack accesses a wallet key. There is no fraud department in Web3 where a victim can report a theft. There’s no FDIC to protect assets.

The bottom line is that cyber criminals are always looking for ways to make money. They will find ways to break into Web3 and all of blockchain’s built-in security measures. Cryptocurrency is their preferred currency already, and with Web3, money is already part of the structure. And because there is no outside security system built around Web3 and its data, threat actors have added incentives to break the code.

Web3 is the future of computing, and as it is more widely adopted, it becomes a more attractive attack vector for cyber criminals. They will break in; they always find a way to thwart security. It’s now up to organizations to recognize that Web3’s security is not foolproof and that protecting data needs attention before it is too late.

More from Risk Management

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today