October 20, 2022 By Sue Poremba 4 min read

“New and improved” is the refrain of progress, but new technology doesn’t always turn out to be an improvement. In the case of the evolution from Web2 to Web3, a former hacker revealed how recent changes have created an all-new avenue of potential attack.

Recent updates were intended to tighten security. “Due to blockchain technology and its autonomous structure, it will also be safer than prior internet versions,” explained the Spiceworks blog. “Hackers will find it exceedingly tough to exploit the network, and even if they do, their activities will be logged.”

Except, in this case, those “improvements” have created further concerns. The issue, for both consumers and businesses, is that the “secure” aspect of Web3 — the blockchain authentication of things like crypto wallets — can also pose a massive security problem.

A former hacker reveals new avenues of attack

Marcus Hutchins, a hacker-turned-security-pro, revealed new security weaknesses of Web3 in a social media video.

“Web3 has introduced a huge new attack surface,” Hutchins said in the video.

Hackers now have access to a 51% attack, which is an attack on blockchain by groups who control more than 50% of the blockchain. Those groups who take over 51% or more of the blockchain have all the power to control the network.

Hutchens explains that smart contracts, which didn’t exist in Web2, are another new issue. Smart contracts are programs stored on a blockchain that will run when predetermined conditions are met, according to IBM. They are used to execute agreements without intermediaries and automate workflows. The smart contracts are getting hacked, creating a new attack surface.

To assume that new technology is secure just because it hasn’t been hacked yet is a huge mistake, said Hutchins. All technology is susceptible to vulnerabilities and exploits and ignoring that just because something is branded as a more secure option opens up your organization and customers to untold risks.

What exactly is Web3?

To understand Web3’s security issues, we must understand what Web3 is. The term was first coined almost a decade ago by Gavin Wood, who developed one of the earliest and more successful cryptocurrencies, Ethereum. It is a decentralized technology, built on blockchain that allows users to have control over their own data and is meant to replace any internet interactions with traditional platforms.

Web3 aims to enhance the user experience by putting the user in charge of content. Without the need for a third-party platform to facilitate content, users will have control over their own data, improving privacy and giving them the choice of monetizing their personal information (rather than being sold and monetized by someone else). 

Web3 fundamentally differs from Web2, explained Spiceworks. Web2 focuses on reading and writing content, while Web3 is about creating content while increasing trust. This trust is supposed to expand into better security and privacy, but the reality is less optimistic.

Expanding the attack surface

While blockchain hardens infrastructure against potential cyberattacks, it doesn’t close the door to all types of risks, including some unique to Web3.

Examining the potential of Web3 — and the potential nightmares — Forrester researched the new technology, determining that there are two primary issues with Web3. It’s currently dominated by opportunists and investors in cryptocurrencies and various digital assets, particularly non-fungible tokens (NFTs), all operating within a largely unregulated environment. The second issue is that the core principles of Web3 simply aren’t applicable in today’s internet ecosystem.

“Web3 applications (including NFTs) aren’t just vulnerable to attack, they often present a broader attack surface (due to the distributed nature of blockchains) than conventional applications do,” Forrester reported.

The apps are prime targets for threat actors, Forrester added, because the tokens have a monetary value. They are prime targets for attack because the source code running on the blockchain is easily accessible. It’s not protected by the type of security systems that protect an organization’s infrastructure. Instead, all a hacker needs are good technical skills, and they are in.

“Source code is typically also easily available, as running closed source ‘smart contracts’ is frowned upon. The Web3 ethos is, after all, ‘open code,'” Martha Bennett, Forrester Vice President and Principal Analyst and a co-author of the report, told TechNewsWorld.

Balancing user experience and security concerns

Digital wallets will be the key to data privacy and security in a Web3 world. Just like a physical wallet holds everything a consumer needs — identification cards and various forms of currency — a digital wallet holds the same information, but with one big difference. The user gets to decide who supplies the contents of the wallet, such as the type of cryptocurrency or identifying credentials.

By putting control back in the hands of the user, organizations are expecting Web3 to improve overall consumer relations and develop loyalty between customer and brand. Decades of data breaches, identity theft and information misuse have taken their toll on consumer/corporate relations.

However, there is a big difference between a physical wallet and a digital wallet. If the physical wallet goes missing, the owner might lose the cash but replace the credit cards, driver’s license and other pieces of identification. That’s not the case with a digital wallet, where all assets are gone for good if an attack accesses a wallet key. There is no fraud department in Web3 where a victim can report a theft. There’s no FDIC to protect assets.

The bottom line is that cyber criminals are always looking for ways to make money. They will find ways to break into Web3 and all of blockchain’s built-in security measures. Cryptocurrency is their preferred currency already, and with Web3, money is already part of the structure. And because there is no outside security system built around Web3 and its data, threat actors have added incentives to break the code.

Web3 is the future of computing, and as it is more widely adopted, it becomes a more attractive attack vector for cyber criminals. They will break in; they always find a way to thwart security. It’s now up to organizations to recognize that Web3’s security is not foolproof and that protecting data needs attention before it is too late.

More from Risk Management

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

GenAI: The next frontier in AI security threats

3 min read - Threat actors aren’t attacking generative AI (GenAI) at scale yet, but these AI security threats are coming. That prediction comes from the 2024 X-Force Threat Intelligence Index. Here’s a review of the threat intelligence types underpinning that report.Cyber criminals are shifting focusIncreased chatter in illicit markets and dark web forums is a sign of interest. X-Force hasn’t seen any AI-engineered campaigns yet. However, cyber criminals are actively exploring the topic. In 2023, X-Force found the terms “AI” and “GPT” mentioned…

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today