“New and improved” is the refrain of progress, but new technology doesn’t always turn out to be an improvement. In the case of the evolution from Web2 to Web3, a former hacker revealed how recent changes have created an all-new avenue of potential attack.

Recent updates were intended to tighten security. “Due to blockchain technology and its autonomous structure, it will also be safer than prior internet versions,” explained the Spiceworks blog. “Hackers will find it exceedingly tough to exploit the network, and even if they do, their activities will be logged.”

Except, in this case, those “improvements” have created further concerns. The issue, for both consumers and businesses, is that the “secure” aspect of Web3 — the blockchain authentication of things like crypto wallets — can also pose a massive security problem.

A Former Hacker Reveals New Avenues of Attack

Marcus Hutchins, a hacker-turned-security-pro, revealed new security weaknesses of Web3 in a social media video.

“Web3 has introduced a huge new attack surface,” Hutchins said in the video.

Hackers now have access to a 51% attack, which is an attack on blockchain by groups who control more than 50% of the blockchain. Those groups who take over 51% or more of the blockchain have all the power to control the network.

Hutchens explains that smart contracts, which didn’t exist in Web2, are another new issue. Smart contracts are programs stored on a blockchain that will run when predetermined conditions are met, according to IBM. They are used to execute agreements without intermediaries and automate workflows. The smart contracts are getting hacked, creating a new attack surface.

To assume that new technology is secure just because it hasn’t been hacked yet is a huge mistake, said Hutchins. All technology is susceptible to vulnerabilities and exploits and ignoring that just because something is branded as a more secure option opens up your organization and customers to untold risks.

What Exactly is Web3?

To understand Web3’s security issues, we must understand what Web3 is. The term was first coined almost a decade ago by Gavin Wood, who developed one of the earliest and more successful cryptocurrencies, Ethereum. It is a decentralized technology, built on blockchain that allows users to have control over their own data and is meant to replace any internet interactions with traditional platforms.

Web3 aims to enhance the user experience by putting the user in charge of content. Without the need for a third-party platform to facilitate content, users will have control over their own data, improving privacy and giving them the choice of monetizing their personal information (rather than being sold and monetized by someone else). 

Web3 fundamentally differs from Web2, explained Spiceworks. Web2 focuses on reading and writing content, while Web3 is about creating content while increasing trust. This trust is supposed to expand into better security and privacy, but the reality is less optimistic.

Expanding the Attack Surface

While blockchain hardens infrastructure against potential cyberattacks, it doesn’t close the door to all types of risks, including some unique to Web3.

Examining the potential of Web3 — and the potential nightmares — Forrester researched the new technology, determining that there are two primary issues with Web3. It’s currently dominated by opportunists and investors in cryptocurrencies and various digital assets, particularly non-fungible tokens (NFTs), all operating within a largely unregulated environment. The second issue is that the core principles of Web3 simply aren’t applicable in today’s internet ecosystem.

“Web3 applications (including NFTs) aren’t just vulnerable to attack, they often present a broader attack surface (due to the distributed nature of blockchains) than conventional applications do,” Forrester reported.

The apps are prime targets for threat actors, Forrester added, because the tokens have a monetary value. They are prime targets for attack because the source code running on the blockchain is easily accessible. It’s not protected by the type of security systems that protect an organization’s infrastructure. Instead, all a hacker needs are good technical skills, and they are in.

“Source code is typically also easily available, as running closed source ‘smart contracts’ is frowned upon. The Web3 ethos is, after all, ‘open code,'” Martha Bennett, Forrester Vice President and Principal Analyst and a co-author of the report, told TechNewsWorld.

Balancing User Experience and Security Concerns

Digital wallets will be the key to data privacy and security in a Web3 world. Just like a physical wallet holds everything a consumer needs — identification cards and various forms of currency — a digital wallet holds the same information, but with one big difference. The user gets to decide who supplies the contents of the wallet, such as the type of cryptocurrency or identifying credentials.

By putting control back in the hands of the user, organizations are expecting Web3 to improve overall consumer relations and develop loyalty between customer and brand. Decades of data breaches, identity theft and information misuse have taken their toll on consumer/corporate relations.

However, there is a big difference between a physical wallet and a digital wallet. If the physical wallet goes missing, the owner might lose the cash but replace the credit cards, driver’s license and other pieces of identification. That’s not the case with a digital wallet, where all assets are gone for good if an attack accesses a wallet key. There is no fraud department in Web3 where a victim can report a theft. There’s no FDIC to protect assets.

The bottom line is that cyber criminals are always looking for ways to make money. They will find ways to break into Web3 and all of blockchain’s built-in security measures. Cryptocurrency is their preferred currency already, and with Web3, money is already part of the structure. And because there is no outside security system built around Web3 and its data, threat actors have added incentives to break the code.

Web3 is the future of computing, and as it is more widely adopted, it becomes a more attractive attack vector for cyber criminals. They will break in; they always find a way to thwart security. It’s now up to organizations to recognize that Web3’s security is not foolproof and that protecting data needs attention before it is too late.

More from Risk Management

Is It Time to Start Hiding Your Work Emails?

In this digital age, it is increasingly important for businesses to be aware of their online presence and data security. Many companies have already implemented measures such as two-factor authentication and strong password policies – but there is still a great deal of exposure regarding email visibility. It should come as no surprise that cyber criminals are always looking for ways to gain access to sensitive information. Unfortunately, emails are a particularly easy target as many businesses do not encrypt…

2022 Industry Threat Recap: Finance and Insurance

The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

And Stay Out! Blocking Backdoor Break-Ins

Backdoor access was the most common threat vector in 2022. According to the 2023 IBM Security X-Force Threat Intelligence Index, 21% of incidents saw the use of backdoors, outpacing perennial compromise favorite ransomware, which came in at just 17%. The good news? In 67% of backdoor attacks, defenders were able to disrupt attacker efforts and lock digital doorways before ransomware payloads were deployed. The not-so-great news? With backdoor access now available at a bargain price on the dark web, businesses…

Cyber Storm Predicted at the 2023 World Economic Forum

According to the Global Cybersecurity Outlook 2023, 93% of cybersecurity leaders and 86% of business leaders think a far-reaching, catastrophic cyber event is at least somewhat likely in the next two years. Additionally, 43% of organizational leaders think it is likely that a cyberattack will affect their organization severely in the next two years. With cybersecurity concerns on everyone’s mind, the topic received top billing at the recent World Economic Forum’s Annual Meeting 2023 in Davos, Switzerland. At the meeting, Matthew…