The next generation web — Web3 — has been hailed as more secure than the current incarnation of cyberspace, but a report released Tuesday warns that may not be so.
While Web3 may be difficult to subvert on an infrastructure level, there are other points of attack that may offer threat actors more opportunity for mischief than can be found in the legacy web, according to the report from Forrester, a national technology research company.
Web3 applications, including NFTs, aren’t just vulnerable to attack; they often present a broader attack surface than conventional applications due to the distributed nature of blockchains, Forrester reported.
Further, it added, Web3 apps are desirable targets because tokens can be worth substantial sums of money.
The openness of Web3, which is supposed to be one of its chief benefits, can be a detriment, too. “Code that’s running on a public blockchain is easily accessible, by anybody with the required technical skills, from anywhere in the world — no need to penetrate any corporate defenses in getting to it,” observed Forrester Vice President and Principal Analyst Martha Bennett, who is also a co-author of the report.
“Source code is typically also easily available, as running closed source ‘smart contracts’ is frowned upon. The Web3 ethos is, after all, ‘open code,’” she told TechNewsWorld.
David Rickard, CTO for North America at Cipher, a division of Prosegur, a multinational security company, explained that Web3 is based on the distributed control of data and identity by its users.
“That broadens the attack surface to individuals who may be unwilling or simply unable to handle management of their own data and identity, bringing a technical complexity to an arena that desires ‘easy to use’ above anything else,” he told TechNewsWorld.
“Individuals, going beyond text messaging, email, and scrolling through social media and shopping apps is a real challenge for them,” he added.
The Web3 idea of making code transparent and publicly available is unlikely to gain real traction, he maintained. “Between capital investors and users of blockchain financial systems and NFTs, there’s too much money at stake,” he said.
Making code transparent and public can also broaden the attack surface in obvious ways, he continued. “Secure coding practices that predict how one may misuse a system for nefarious gains aren’t that commonly practiced,” he explained. “It’s not easy to predict how people may use systems for purposes other than those intended.”
“Most financial losses concerning blockchain and NFT exploit not the immutable object itself but manipulate them by exploiting the applications that can impact them,” he said.
In addition, while legacy systems may be old, they can also be robust. “What is new also tends to be the most insecure,” declared Matt Chiodi, chief trust officer at Cerby, maker of a platform to manage Shadow IT, in San Francisco.
“While time is not always a friend of security, it does allow an application to become battle tested,” he told TechNewsWorld. “Web3 is no different. It’s new and very much untested. Legacy applications have the benefit of time. Web3 does not.”
NFT Becoming Popular Target
Regardless of whether code is visible and accessible, the report noted, attackers will find the weak points. It explained that while it’s tempting to assume that attacks on smart contracts and cryptocurrency wallets are confined to the Wild West of decentralized finance, increasingly, NFT projects have become a favored target.
“Why go for a more difficult hack if there are easier ways of achieving what you want?” asked Bennett. “Like any other venue where value is traded, [NFT] marketplaces and communications tools attract those who want to steal or otherwise subvert the rules.”
“In anything to do with Web3, speed is of the essence, and many of those involved don’t have the required expertise even to assess what might be a potential security issue,” she said. “Sometimes, startups don’t even advertise for a head of security until after something bad happened.”
One of the largest breaches of an NFT marketplace occurred in June at OpenSea, which exposed some 1.8 million email addresses. “That particular case involved an insider threat, but applications handling transactions can be quite vulnerable,” Rickard observed.
“There may be hundreds of thousands of ways these can be misused that coders have to try to account for, yet a hacker need only discover one vector, one time for a breach to occur,” he said.
Hangout for Scammers
Forrester also reported that Discord, a social media network, has become a major weak point in NFT and other public blockchain projects. Successful phishing attacks on Discord are at the root of many, if not most, NFT thefts, it continued.
It explained that the attacks are typically targeted at community managers and administrators. Once an administrator account has been successfully taken over, attackers have the opportunity to steal on a grand scale, because users tend to trust messages from community administrators.
Discord was designed primarily to be a communications forum for gamers, not a place to hold and exchange value, Bennett noted, and it does have mechanisms in place to mitigate risk. “But these mechanisms can only help if they’re implemented, and it’s clear that all too often, they’re not,” she said.
“Also,” she added, “being the favored communications mechanism for token projects, Discord attracts a commensurate share of phishing attacks and scam messages.”
Rickard maintained that Discord communities provide a rich source of information for scammers, as well as investors. “Harvesting contact information of participants leads to phishing,” he said. “Hacks into digital wallets are not unusual.”
“Discord bots have been hacked so threat actors can post fake minting offers, resulting in theft of cryptocurrency,” he added.
Better Security Than Legacy Web?
In the fast-moving Web3 world, it’s tempting to ignore security in favor of innovating quickly, but public security issues can easily derail a major launch or slow down the product team by forcing them to analyze and mitigate critical security flaws, Forrester’s report noted.
Firms can identify risks and protect both their Web3 application’s decentralized and centralized components by engaging their security teams — not just in the software development lifecycle — but throughout the product lifecycle, it added.
“Web3 needs to shift its focus to the left, meaning getting security as close to the developers as possible and making prevention the end goal,” Chiodi observed. “Without this focus, Web3 will end up no differently than Web2. That would be a shame given its tremendous potential, especially around decentralized identity.”
“The distributed approach of Web3 provides different types a security capabilities, but the fundamental problems remain the same,” added Mark Bower, vice president for product at Anjuna, a confidential computing company, in Palo Alto, Calif.
“If an attacker gets access to credentials, root-level privilege or keys — particularly private keys that run across the entire ecosystem,” he told TechNewsWorld, “then it’s game over, just as it would be in a centralized platform.”