HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

WebRTC Skimmer Bypasses CSP, Stealing Payment Data from E‑Commerce Sites

A new WebRTC‑based skimmer circumvents Content‑Security‑Policy controls to harvest credit‑card information from online retailers. The technique threatens any third‑party checkout integration, raising PCI‑DSS compliance concerns for merchants and their payment partners.

LiveThreat™ Intelligence · 📅 March 26, 2026· 📰 thehackernews.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
thehackernews.com

WebRTC Skimmer Bypasses CSP, Targeting Payment Data on E‑Commerce Sites

What Happened — Researchers uncovered a novel payment‑skimming module that leverages WebRTC data channels to load malicious payloads and exfiltrate credit‑card details, sidestepping traditional Content‑Security‑Policy (CSP) defenses on e‑commerce storefronts.

Why It Matters for TPRM

  • Web‑based skimmers can compromise any third‑party payment gateway integrated with a retailer’s site.
  • CSP bypasses reduce the effectiveness of a common hardening control many vendors rely on.
  • Exposure of payment data triggers PCI‑DSS non‑compliance and potential fines for both the merchant and its service providers.

Who Is Affected — Retail & e‑commerce merchants, payment‑gateway providers, and any SaaS platforms that embed third‑party checkout widgets.

Recommended Actions — Review all third‑party scripts and checkout integrations for WebRTC usage, enforce strict CSP and WebRTC‑specific policies, and validate that payment providers employ runtime integrity checks.

Technical Notes — The skimmer injects a hidden WebRTC data channel, avoiding HTTP‑based detection. It delivers its payload via peer‑to‑peer signaling, then streams stolen PAN, CVV, and expiration data to attacker‑controlled ICE servers. No specific CVE is cited; the technique exploits the permissive default WebRTC configuration in many browsers. Source: https://thehackernews.com/2026/03/webrtc-skimmer-bypasses-csp-to-steal.html

📰 Original Source
https://thehackernews.com/2026/03/webrtc-skimmer-bypasses-csp-to-steal.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

Data exposure is where consent and DSAR readiness get tested.

When personal data leaks, regulators ask what consent you held and how fast you can answer a subject request. The Verisq AI Trust Operations platform, with CookiePLUS, keeps that posture audit-ready under GDPR and CCPA.

Explore the Verisq AI Trust Operations platform →