WebRTC Skimmer Bypasses Defenses to Exfiltrate Payment Data from E‑Commerce Sites
What Happened — Researchers at Sansec uncovered a new payment‑skimming malware that uses WebRTC DataChannels to load malicious code and exfiltrate credit‑card information, sidestepping traditional HTTP‑based defenses. The skimmer was observed targeting a car‑maker’s e‑commerce storefront by exploiting the PolyShell vulnerability in Magento/Adobe Commerce.
Why It Matters for TPRM —
- Encrypted UDP traffic (WebRTC) can evade CSP and network‑inspection tools, expanding the attack surface of third‑party web applications.
- Vulnerable e‑commerce platforms become a conduit for payment‑data theft, raising supply‑chain risk for organisations that rely on them.
- Existing detection controls that focus on HTTP/HTTPS may miss this vector, requiring updated monitoring strategies.
Who Is Affected — Retail & e‑commerce operators, automotive OEMs with online sales, Magento/Adobe Commerce users, payment‑processing services.
Recommended Actions —
- Patch all Magento/Adobe Commerce installations against the PolyShell vulnerability (CVE‑2026‑XXXXX).
- Deploy WebRTC‑aware network monitoring or block outbound UDP/3479 to unknown IPs.
- Enforce strict CSP nonces and consider implementing WebRTC‑specific security policies.
- Review third‑party payment‑data handling controls and verify that vendors do not expose vulnerable WebRTC endpoints.
Technical Notes — The skimmer creates a direct WebRTC DataChannel to a hard‑coded attacker server (202.181.177.177:3479) using DTLS‑encrypted UDP, avoiding HTTP inspection. It steals a valid CSP nonce to inject malicious JavaScript, falls back to alternative execution methods if needed, and runs during browser idle time. Initial compromise stems from the PolyShell file‑upload flaw in Magento/Adobe Commerce, allowing unauthenticated code execution. Source: https://securityaffairs.com/190002/malware/researchers-uncover-webrtc-skimmer-bypassing-traditional-defenses.html