The next-generation web – Web3 – has been hailed as more secure than the current incarnation of cyberspace, but a report released on Tuesday warns that may not be the case.
Although Web3 can be difficult to subvert at the infrastructure level, there are other points of attack that can provide threat actors with more opportunity for harm than can be found on the legacy web, according to the report by Forrester, a national technology research company.
Web3 applications, including NFTs, are not only vulnerable to attacks; they often present a larger attack surface than conventional applications due to the distributed nature of blockchains, Forrester reported.
Additionally, he added, Web3 applications are desirable targets because the tokens can be worth substantial sums of money.
The openness of Web3, which is supposed to be one of its main advantages, can also be a disadvantage. “The code that runs on a public blockchain is easily accessible, by anyone with the required technical skills, from anywhere in the world – no need to breach corporate defenses to access it,” observed Forrester vice president and principal analyst Martha Bennett, who also co-authored the report.
“Source code is usually also readily available, as running closed-source ‘smart contracts’ is frowned upon. The Web3 philosophy is, after all, ‘open code’,” she told TechNewsWorld.
David Rickard, CTO for North America at Cipher, a division of Prosegur, a multinational security company, explained that Web3 is based on distributed control of data and identity by its users.
“It widens the attack surface for people who may not want or simply be able to handle managing their own data and identity, bringing technical complexity to an arena that wants to be ‘easy to use’ above all else. “, he told TechNewsWorld.
“For individuals, going beyond text messaging, email and scrolling through social media and shopping apps is a real challenge for them,” he added.
The Web3 idea of making code transparent and publicly available is unlikely to gain traction, he argued. “Between capital investors and users of blockchain financial systems and NFTs, there is too much money at stake,” he said.
Making code transparent and public can also expand the attack surface in obvious ways, he continued. “Secure coding practices that predict how a system can be abused for nefarious gain are not commonly practiced,” he explained. “It’s not easy to predict how people might use systems for purposes other than intended.”
“Most of the financial losses regarding blockchain and NFT do not exploit the immutable object itself but manipulate them by exploiting the applications that can impact them,” he said.
Additionally, while legacy systems can be old, they can also be robust. “What’s new also tends to be the least secure,” said Matt Chiodi, director of trust at Cerby, maker of a platform to manage Shadow IT, in San Francisco.
“While time isn’t always a friend of security, it allows an application to be combat tested,” he told TechNewsWorld. “Web3 is no different. It’s new and very untested. Legacy apps have the advantage of saving time. Web3 doesn’t.
NFT is becoming a popular target
Regardless of whether the code is visible and accessible, the report notes, attackers will find weak spots. He explained that while it is tempting to assume that attacks on smart contracts and cryptocurrency wallets are confined to the Wild West of decentralized finance, increasingly, NFT projects have become a prime target.
“Why go for a harder hack if there are easier ways to get what you want?” Bennett asked. “Like any other place where value is exchanged, [NFT] marketplaces and communication tools attract those who want to steal or break the rules.
“In anything Web3, speed is key, and many of those involved lack the expertise to even assess what could be a potential security issue,” she said. . “Sometimes startups don’t even advertise for a security officer until an incident happens.”
One of the largest NFT market breaches occurred in June at OpenSea, which exposed some 1.8 million email addresses. “This particular case involved an insider threat, but applications handling transactions can be quite vulnerable,” Rickard observed.
“There can be hundreds of thousands of ways these can be misused that coders have to try to account for, but a hacker only needs to discover one vector, one time. , for a breach to occur,” he said.
Hangout for scammers
Forrester also reported that Discord, a social media network, has become a major weak point in NFT and other public blockchain projects. Successful phishing attacks on Discord are behind many, if not most, NFT thefts, he continued.
He explained that the attacks usually target community managers and administrators. Once an admin account has been successfully taken over, attackers have the ability to steal on a massive scale, as users tend to trust messages from community admins.
Discord was designed primarily to be a communication forum for gamers, not a place to store and exchange value, Bennett noted, and it has mechanisms in place to mitigate risk. “But these mechanisms can only be useful if they are implemented, and it is clear that too often they are not,” she said.
“Additionally,” she added, “being the preferred communication mechanism for token projects, Discord attracts a proportionate share of phishing attacks and fraudulent messages.”
Rickard argued that Discord communities provide a rich source of information for scammers, as well as investors. “Collecting participants’ contact information leads to phishing,” he said. “Digital wallet hacks are not unusual.”
“Discord bots were hacked so that threat actors could post fake knockoffs, leading to cryptocurrency theft,” he added.
Better Security Than Legacy Web?
In the fast-paced world of Web3, it’s tempting to ignore security in favor of rapid innovation, but public safety issues can easily derail a major launch or slow down the product team by forcing them to analyze and to mitigate critical security vulnerabilities, notes the Forrester report.
Companies can identify risks and protect both decentralized and centralized components of their Web3 application by engaging their security teams, not only in the software development lifecycle, but throughout the product lifecycle, a he added.
“Web3 needs to shift its focus to the left, which means bringing security as close to developers as possible and making prevention the end goal,” observed Chiodi. “Without this goal, Web3 will be no different from Web2. That would be a shame given its huge potential, especially around decentralized identity.
“Web3’s distributed approach provides different kinds of security capabilities, but the fundamental issues remain the same,” added Mark Bower, vice president of products at Anjuna, a confidential IT company, in Palo Alto, Calif.
“If an attacker gains access to credentials, root-level privileges, or keys — especially private keys that run across the entire ecosystem,” he told TechNewsWorld, “then the game is over, just like on a centralized platform”.