A sophisticated new payment skimmer has been discovered that leverages WebRTC data channels to bypass traditional security measures and steal sensitive payment information from e-commerce websites. This novel approach circumvents Content Security Policy (CSP) directives, making it a significant threat to online retailers.

Key Takeaways

• A new payment skimmer uses WebRTC data channels for payload delivery and data exfiltration.

• This method bypasses Content Security Policy (CSP) and makes detection difficult.

• The attack exploits the PolyShell vulnerability in Magento and Adobe Commerce.

• The vulnerability has been under mass exploitation since March 19, 2026.

WebRTC: A New Frontier for Skimmers

Cybersecurity researchers have identified a novel payment skimmer that deviates from typical attack vectors. Instead of relying on conventional HTTP requests or image beacons, this malware utilizes WebRTC (Web Real-Time Communication) data channels. These channels are employed to both receive malicious payloads and exfiltrate stolen payment data, effectively rendering standard security controls obsolete.

Exploiting the PolyShell Vulnerability

The attack, which has targeted e-commerce platforms including a car manufacturer's site, is facilitated by the PolyShell vulnerability. This flaw affects Magento Open Source and Adobe Commerce, allowing unauthenticated attackers to upload arbitrary executables via the REST API, leading to code execution. Since March 19, 2026, this vulnerability has been widely exploited, with extensive scanning activity observed from numerous IP addresses.

Bypassing Content Security Policy (CSP)

A critical aspect of this new skimmer is its ability to bypass Content Security Policy (CSP) directives. CSP is a security measure designed to prevent cross-site scripting (XSS) and other code injection attacks by specifying which resources a browser is allowed to load. However, the WebRTC-based exfiltration method operates outside the scope of typical CSP rules. Even websites with strict CSP configurations that block unauthorized HTTP connections remain vulnerable to this WebRTC-based data theft.

Evasion and Detection Challenges

The use of WebRTC presents significant challenges for detection. The data channels operate over DTLS-encrypted UDP, not HTTP. This means that network security tools primarily designed to inspect HTTP traffic will not be able to see the stolen data as it leaves the compromised system. The skimmer establishes a peer connection to a hard-coded IP address over UDP port 3479, retrieves JavaScript code, and injects it into the web page to capture payment details.

Mitigation and Patching

Adobe has released a fix for the PolyShell vulnerability in version 2.4.9-beta1, which was made available on March 10, 2026. However, this patch has not yet been widely adopted in production versions. Site owners are advised to implement immediate mitigations, including blocking access to the "pub/media/custom_options/" directory and conducting thorough scans for web shells, backdoors, and other malware on their stores.

Sources

• WebRTC Skimmer Bypasses CSP to Steal Payment Data from E-Commerce Sites, The Hacker News.

• Researchers uncover WebRTC skimmer bypassing traditional defenses, Security Affairs.