Think Web3 is private? Think again. Researchers found widespread leaks of wallet data, allowing third-party trackers to build profiles and exploit users.

This article is also published on my Medium page.

The dream of Web3 promises a new decentralized internet built on blockchain technology - a digital realm where users can roam freely with privacy and control over their data. But, an alarming study from researchers at ETH Zurich exposes how this ebbing crypto frontier may be a Wild West of data exploitation. Their findings reveal that simply interacting with Web3 platforms like decentralized apps (dApps) and crypto wallets could expose users' sensitive information and online movements to a horde of unknown third-party trackers.

At the core of this Web3 world are digital wallet extensions like the wildly popular MetaMask, which act as gateways that over 10 million users have installed to connect to blockchain dApps and platforms. But these innocuous-looking wallet browser add-ons inject code that websites and vulture-like third-party trackers can mercilessly devour, using it to digitally fingerprint individuals and leak their wallet addresses. These wallet addresses, containing strings of numbers and letters, are similar to handing over highly sensitive financial account numbers to the highest bidder on the open internet.

The research team's deep dive into over 600 mainstream dApps across finance, gaming, NFT marketplaces, and beyond uncovered a staggering truth: one-third of these apps callously leaked users' wallet addresses to outside parties like blockchain providers and the data-ravenous advertising/analytics industry. Of the top 20 third-party trackers caught receiving this delicate wallet data, a shocking 19 of them openly admit in their privacy policies to also indiscriminately harvesting users' IP addresses.

But the ominous wallet leaks are just the start. The researchers' investigation revealed an even more pernicious threat - 13 out of 100 of the most downloaded Web3 wallet extensions themselves were directly hemorrhaging users' wallet addresses to unknown outside parties. This was happening silently in the background, without any user knowledge or consent.

Beyond these insidious leaks, the study exposed how over 800 of the internet's top 1,000 websites engage in ominous browser fingerprinting. Their code surreptitiously senses whether visitors have a Web3 wallet installed, using it as a data point to candidly track users across the web. Mainstream digital giants like TikTok, The New York Times, and NBC exhibited this absolutely chilling fingerprinting behavior, frequently facilitated by the go-between of embedded third-party trackers hawking their wares on smut sites and news portals alike.

Web3 is often advertised as a more secure and private version of the internet. However, this study shows that not only do decentralized applications leak users' sensitive data in radical ways, but wallets themselves are being abused by third parties to stalk users online without any consent whatsoever.

The alarming number of leaks prompted researchers to investigate how users could safeguard their Web3 privacy. They evaluated the effectiveness of the top five popular ad blockers: EasyList, DuckDuckGo, EasyPrivacy, Whotracks.me, and Disconnect. While Whotracks.me managed to block a respectable 43% of the identified third-party trackers, a sobering truth emerged: over half of that unwanted traffic still snuck through. Finally, in a desperate attempt to plug the holes, the research team combined and tested all five ad blockers together. However, even this potent defense failed to stop a staggering 48% of third-party requests.

The existing wallet infrastructure is simply not designed with the user's privacy in mind. Websites are unabashedly pillaging wallets to fingerprint their visitors, while dApps and the wallets themselves freely leak addresses to any third-party with hands out. Radical new solutions prioritizing privacy preservation are desperately needed.

Web3 and blockchain technology were meant to usher in a new era of decentralization and digital sovereignty. However, this study serves as a wake-up call, revealing that users flocking to this seemingly liberal domain may be falling into the same data privacy traps that have plagued the traditional web for decades. Despite the utopian dream of unfettered online freedom, the lack of robust privacy standards in Web3 risks turning it into a democratized panopticon, where corporations can silently monitor every transaction, balance, and financial trail under the guise of decentralization.

Ironically, the very transparency that Web3 promised could lead to a concentration of power in the hands of a few, replicating the oligarchic structures it sought to dismantle. As the Web3 ecosystem converges with mainstream finance, regulators must act swiftly to implement guardrails that prevent exploitative data harvesting from becoming an uncontrollable cancer on the open web. Failure to do so could dash the dreams of a free and equitable internet renaissance, as user data flows back into the hands of entrenched corporate giants, creating a surveilled, gridlocked web that is even more fossilized than its predecessor.

Explore Next

Wanna learn about DeFi and make informed decisions? This article analyzes the landscape, offering expert guidance on protocols and risks.

Discover how blockchain is transforming industries on the Blockchain Insights Hub. Follow me on Twitter for real-time updates on the intersection of blockchain and cybersecurity. Subscribe now to get my exclusive report on the top blockchain security threats of 2024. Dive deeper into my blockchain insights on Medium.