{"id":391,"date":"2026-03-26T09:13:10","date_gmt":"2026-03-26T09:13:10","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=391"},"modified":"2026-03-26T09:13:10","modified_gmt":"2026-03-26T09:13:10","slug":"webrtc-skimmer-bypasses-csp-to-steal-payment-data-from-e-commerce-sites","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=391","title":{"rendered":"WebRTC Skimmer Bypasses CSP to Steal Payment Data from E-Commerce Sites"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Mar 26, 2026<\/span><\/span><span class=\"p-tags\">Malware \/ Web Security<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgDIJhct-gQspWhgoCYGYYTokFv7FUIEMJqaILu_8IfMO3siPXFxR9g6eek-vKmgpFFO5QKCLBvl7pK8gFOGf8ZQuR6wVxOeBOxDm43bCBdmLDhPTyIGhoFssJGBUn9in_jfKwIvcyf9TERfomsZOjcPs4CKnYsYyW_jLaX3jbgm-LT4TORzq4g3ik0cB10\/s1700-e365\/cards.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Cybersecurity researchers have discovered a new payment skimmer that uses <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/API\/WebRTC_API\/Using_data_channels\" rel=\"noopener\" target=\"_blank\">WebRTC data channels<\/a> as a means to receive payloads and exfiltrate data, effectively bypassing security controls.<\/p>\n<p>\u00abInstead of the usual HTTP requests or image beacons, this malware uses WebRTC data channels to load its payload and exfiltrate stolen payment data,\u00bb Sansec <a href=\"https:\/\/sansec.io\/research\/webrtc-skimmer\" rel=\"noopener\" target=\"_blank\">said<\/a> in a report published this week.<\/p>\n<p>The attack, which targeted a car maker&#8217;s e-commerce website, is said to have been facilitated by PolyShell, a new vulnerability impacting Magento Open Source and Adobe Commerce that allows unauthenticated attackers to upload arbitrary executables via the REST API and achieve code execution.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ciso-risk-comm-cert-dr-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgqhIRUj1YTC94RNdUGjmL9vDt5o56pkuKHyTGP8DvhM0bsTe7VSW-pHKY9HaAKsXk4J3x3gREcX_ZtLx04zPaI1UqHjcBD9QquXjOczTKwcJeGnTUqH73_QRG4d0Ki0KBKChGP48m-7VzU7UTgCWdz7hBtd51XbCyMUXu9PBBQt1sbO1V4WLWu4QrEBTZA\/s728-e100\/ciso-dark-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Notably, the vulnerability has since come under mass exploitation since March 19, 2026, with more than 50 IP addresses participating in the scanning activity. The Dutch security company said it has found PolyShell attacks on 56.7% of all vulnerable stores.<\/p>\n<p>The skimmer is designed as a self-executing script that establishes a WebRTC peer connection to a hard-coded IP address (\u00ab202.181.177[.]177\u00bb) over UDP port 3479 and retrieves JavaScript code that&#8217;s subsequently injected into the web page for stealing payment information.\u00a0<\/p>\n<p>The use of WebRTC marks a significant evolution in skimmer attacks, as it bypasses Content Security Policy (<a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Guides\/CSP\" rel=\"noopener\" target=\"_blank\">CSP<\/a>) directives.\u00a0<\/p>\n<p>\u00abA store with a strict CSP that blocks all unauthorized HTTP connections is still wide open to WebRTC-based exfiltration,\u00bb Sansec noted. \u00abThe traffic itself is also harder to detect. WebRTC DataChannels run over DTLS-encrypted UDP, not HTTP. Network security tools that inspect HTTP traffic will never see the stolen data leave.\u00bb<\/p>\n<p>Adobe released a fix for PolyShell in <a href=\"https:\/\/experienceleague.adobe.com\/en\/docs\/commerce-operations\/release\/notes\/adobe-commerce\/2-4-9?lang=en#highlights-in-v249-beta1\" rel=\"noopener\" target=\"_blank\">version 2.4.9-beta1<\/a> released on March 10, 2026. But the patch has yet to reach the production versions.<\/p>\n<p>As mitigations, site owners are recommended to block access to the \u00abpub\/media\/custom_options\/\u00bb directory and scan the stores for web shells, backdoors, and other malware.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Mar 26, 2026Malware \/ Web Security Cybersecurity researchers have discovered a new payment skimmer that uses WebRTC data channels as a means to receive payloads and exfiltrate data, effectively&hellip;<\/p>\n","protected":false},"author":1,"featured_media":392,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[889,890,38,892,891,228,888,571,887],"class_list":["post-391","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-bypasses","tag-csp","tag-data","tag-ecommerce","tag-payment","tag-sites","tag-skimmer","tag-steal","tag-webrtc"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/391","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=391"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/391\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/392"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=391"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=391"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=391"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}