October 20, 2022 By Sue Poremba 4 min read

“New and improved” is the refrain of progress, but new technology doesn’t always turn out to be an improvement. In the case of the evolution from Web2 to Web3, a former hacker revealed how recent changes have created an all-new avenue of potential attack.

Recent updates were intended to tighten security. “Due to blockchain technology and its autonomous structure, it will also be safer than prior internet versions,” explained the Spiceworks blog. “Hackers will find it exceedingly tough to exploit the network, and even if they do, their activities will be logged.”

Except, in this case, those “improvements” have created further concerns. The issue, for both consumers and businesses, is that the “secure” aspect of Web3 — the blockchain authentication of things like crypto wallets — can also pose a massive security problem.

A former hacker reveals new avenues of attack

Marcus Hutchins, a hacker-turned-security-pro, revealed new security weaknesses of Web3 in a social media video.

“Web3 has introduced a huge new attack surface,” Hutchins said in the video.

Hackers now have access to a 51% attack, which is an attack on blockchain by groups who control more than 50% of the blockchain. Those groups who take over 51% or more of the blockchain have all the power to control the network.

Hutchens explains that smart contracts, which didn’t exist in Web2, are another new issue. Smart contracts are programs stored on a blockchain that will run when predetermined conditions are met, according to IBM. They are used to execute agreements without intermediaries and automate workflows. The smart contracts are getting hacked, creating a new attack surface.

To assume that new technology is secure just because it hasn’t been hacked yet is a huge mistake, said Hutchins. All technology is susceptible to vulnerabilities and exploits and ignoring that just because something is branded as a more secure option opens up your organization and customers to untold risks.

What exactly is Web3?

To understand Web3’s security issues, we must understand what Web3 is. The term was first coined almost a decade ago by Gavin Wood, who developed one of the earliest and more successful cryptocurrencies, Ethereum. It is a decentralized technology, built on blockchain that allows users to have control over their own data and is meant to replace any internet interactions with traditional platforms.

Web3 aims to enhance the user experience by putting the user in charge of content. Without the need for a third-party platform to facilitate content, users will have control over their own data, improving privacy and giving them the choice of monetizing their personal information (rather than being sold and monetized by someone else). 

Web3 fundamentally differs from Web2, explained Spiceworks. Web2 focuses on reading and writing content, while Web3 is about creating content while increasing trust. This trust is supposed to expand into better security and privacy, but the reality is less optimistic.

Expanding the attack surface

While blockchain hardens infrastructure against potential cyberattacks, it doesn’t close the door to all types of risks, including some unique to Web3.

Examining the potential of Web3 — and the potential nightmares — Forrester researched the new technology, determining that there are two primary issues with Web3. It’s currently dominated by opportunists and investors in cryptocurrencies and various digital assets, particularly non-fungible tokens (NFTs), all operating within a largely unregulated environment. The second issue is that the core principles of Web3 simply aren’t applicable in today’s internet ecosystem.

“Web3 applications (including NFTs) aren’t just vulnerable to attack, they often present a broader attack surface (due to the distributed nature of blockchains) than conventional applications do,” Forrester reported.

The apps are prime targets for threat actors, Forrester added, because the tokens have a monetary value. They are prime targets for attack because the source code running on the blockchain is easily accessible. It’s not protected by the type of security systems that protect an organization’s infrastructure. Instead, all a hacker needs are good technical skills, and they are in.

“Source code is typically also easily available, as running closed source ‘smart contracts’ is frowned upon. The Web3 ethos is, after all, ‘open code,'” Martha Bennett, Forrester Vice President and Principal Analyst and a co-author of the report, told TechNewsWorld.

Balancing user experience and security concerns

Digital wallets will be the key to data privacy and security in a Web3 world. Just like a physical wallet holds everything a consumer needs — identification cards and various forms of currency — a digital wallet holds the same information, but with one big difference. The user gets to decide who supplies the contents of the wallet, such as the type of cryptocurrency or identifying credentials.

By putting control back in the hands of the user, organizations are expecting Web3 to improve overall consumer relations and develop loyalty between customer and brand. Decades of data breaches, identity theft and information misuse have taken their toll on consumer/corporate relations.

However, there is a big difference between a physical wallet and a digital wallet. If the physical wallet goes missing, the owner might lose the cash but replace the credit cards, driver’s license and other pieces of identification. That’s not the case with a digital wallet, where all assets are gone for good if an attack accesses a wallet key. There is no fraud department in Web3 where a victim can report a theft. There’s no FDIC to protect assets.

The bottom line is that cyber criminals are always looking for ways to make money. They will find ways to break into Web3 and all of blockchain’s built-in security measures. Cryptocurrency is their preferred currency already, and with Web3, money is already part of the structure. And because there is no outside security system built around Web3 and its data, threat actors have added incentives to break the code.

Web3 is the future of computing, and as it is more widely adopted, it becomes a more attractive attack vector for cyber criminals. They will break in; they always find a way to thwart security. It’s now up to organizations to recognize that Web3’s security is not foolproof and that protecting data needs attention before it is too late.

More from Risk Management

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today