October 20, 2022 By Sue Poremba 4 min read

“New and improved” is the refrain of progress, but new technology doesn’t always turn out to be an improvement. In the case of the evolution from Web2 to Web3, a former hacker revealed how recent changes have created an all-new avenue of potential attack.

Recent updates were intended to tighten security. “Due to blockchain technology and its autonomous structure, it will also be safer than prior internet versions,” explained the Spiceworks blog. “Hackers will find it exceedingly tough to exploit the network, and even if they do, their activities will be logged.”

Except, in this case, those “improvements” have created further concerns. The issue, for both consumers and businesses, is that the “secure” aspect of Web3 — the blockchain authentication of things like crypto wallets — can also pose a massive security problem.

A former hacker reveals new avenues of attack

Marcus Hutchins, a hacker-turned-security-pro, revealed new security weaknesses of Web3 in a social media video.

“Web3 has introduced a huge new attack surface,” Hutchins said in the video.

Hackers now have access to a 51% attack, which is an attack on blockchain by groups who control more than 50% of the blockchain. Those groups who take over 51% or more of the blockchain have all the power to control the network.

Hutchens explains that smart contracts, which didn’t exist in Web2, are another new issue. Smart contracts are programs stored on a blockchain that will run when predetermined conditions are met, according to IBM. They are used to execute agreements without intermediaries and automate workflows. The smart contracts are getting hacked, creating a new attack surface.

To assume that new technology is secure just because it hasn’t been hacked yet is a huge mistake, said Hutchins. All technology is susceptible to vulnerabilities and exploits and ignoring that just because something is branded as a more secure option opens up your organization and customers to untold risks.

What exactly is Web3?

To understand Web3’s security issues, we must understand what Web3 is. The term was first coined almost a decade ago by Gavin Wood, who developed one of the earliest and more successful cryptocurrencies, Ethereum. It is a decentralized technology, built on blockchain that allows users to have control over their own data and is meant to replace any internet interactions with traditional platforms.

Web3 aims to enhance the user experience by putting the user in charge of content. Without the need for a third-party platform to facilitate content, users will have control over their own data, improving privacy and giving them the choice of monetizing their personal information (rather than being sold and monetized by someone else). 

Web3 fundamentally differs from Web2, explained Spiceworks. Web2 focuses on reading and writing content, while Web3 is about creating content while increasing trust. This trust is supposed to expand into better security and privacy, but the reality is less optimistic.

Expanding the attack surface

While blockchain hardens infrastructure against potential cyberattacks, it doesn’t close the door to all types of risks, including some unique to Web3.

Examining the potential of Web3 — and the potential nightmares — Forrester researched the new technology, determining that there are two primary issues with Web3. It’s currently dominated by opportunists and investors in cryptocurrencies and various digital assets, particularly non-fungible tokens (NFTs), all operating within a largely unregulated environment. The second issue is that the core principles of Web3 simply aren’t applicable in today’s internet ecosystem.

“Web3 applications (including NFTs) aren’t just vulnerable to attack, they often present a broader attack surface (due to the distributed nature of blockchains) than conventional applications do,” Forrester reported.

The apps are prime targets for threat actors, Forrester added, because the tokens have a monetary value. They are prime targets for attack because the source code running on the blockchain is easily accessible. It’s not protected by the type of security systems that protect an organization’s infrastructure. Instead, all a hacker needs are good technical skills, and they are in.

“Source code is typically also easily available, as running closed source ‘smart contracts’ is frowned upon. The Web3 ethos is, after all, ‘open code,'” Martha Bennett, Forrester Vice President and Principal Analyst and a co-author of the report, told TechNewsWorld.

Balancing user experience and security concerns

Digital wallets will be the key to data privacy and security in a Web3 world. Just like a physical wallet holds everything a consumer needs — identification cards and various forms of currency — a digital wallet holds the same information, but with one big difference. The user gets to decide who supplies the contents of the wallet, such as the type of cryptocurrency or identifying credentials.

By putting control back in the hands of the user, organizations are expecting Web3 to improve overall consumer relations and develop loyalty between customer and brand. Decades of data breaches, identity theft and information misuse have taken their toll on consumer/corporate relations.

However, there is a big difference between a physical wallet and a digital wallet. If the physical wallet goes missing, the owner might lose the cash but replace the credit cards, driver’s license and other pieces of identification. That’s not the case with a digital wallet, where all assets are gone for good if an attack accesses a wallet key. There is no fraud department in Web3 where a victim can report a theft. There’s no FDIC to protect assets.

The bottom line is that cyber criminals are always looking for ways to make money. They will find ways to break into Web3 and all of blockchain’s built-in security measures. Cryptocurrency is their preferred currency already, and with Web3, money is already part of the structure. And because there is no outside security system built around Web3 and its data, threat actors have added incentives to break the code.

Web3 is the future of computing, and as it is more widely adopted, it becomes a more attractive attack vector for cyber criminals. They will break in; they always find a way to thwart security. It’s now up to organizations to recognize that Web3’s security is not foolproof and that protecting data needs attention before it is too late.

More from Risk Management

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

It all adds up: Pretexting in executive compromise

4 min read - Executives hold the keys to the corporate kingdom. If attackers can gain the trust of executives using layered social engineering techniques, they may be able to access sensitive corporate information such as intellectual property, financial data or administrative control logins and passwords.While phishing remains the primary pathway to executive compromise, increasing C-suite awareness of this risk requires a more in-depth approach from attackers: Pretexting.What is pretexting?Pretexting is the use of a fabricated story or narrative — a “pretext” — to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today