WebRTC Skimmer Bypasses CSP, Targeting Payment Data on E‑Commerce Sites
What Happened — Researchers uncovered a novel payment‑skimming module that leverages WebRTC data channels to load malicious payloads and exfiltrate credit‑card details, sidestepping traditional Content‑Security‑Policy (CSP) defenses on e‑commerce storefronts.
Why It Matters for TPRM —
- Web‑based skimmers can compromise any third‑party payment gateway integrated with a retailer’s site.
- CSP bypasses reduce the effectiveness of a common hardening control many vendors rely on.
- Exposure of payment data triggers PCI‑DSS non‑compliance and potential fines for both the merchant and its service providers.
Who Is Affected — Retail & e‑commerce merchants, payment‑gateway providers, and any SaaS platforms that embed third‑party checkout widgets.
Recommended Actions — Review all third‑party scripts and checkout integrations for WebRTC usage, enforce strict CSP and WebRTC‑specific policies, and validate that payment providers employ runtime integrity checks.
Technical Notes — The skimmer injects a hidden WebRTC data channel, avoiding HTTP‑based detection. It delivers its payload via peer‑to‑peer signaling, then streams stolen PAN, CVV, and expiration data to attacker‑controlled ICE servers. No specific CVE is cited; the technique exploits the permissive default WebRTC configuration in many browsers. Source: https://thehackernews.com/2026/03/webrtc-skimmer-bypasses-csp-to-steal.html