WebRTC Skimmer Evades CSP to Steal Payment Data from E-Commerce Platforms

New attack technique abuses WebRTC data channels to bypass traditional security controls and silently exfiltrate payment information

A new wave of e-commerce attacks is raising serious concerns across the cybersecurity community. Researchers have uncovered a sophisticated payment skimmer that leverages WebRTC data channels to bypass traditional defenses, including Content Security Policy (CSP), and steal sensitive payment data.

Unlike conventional skimmers that rely on HTTP requests or image beacons, this malware uses WebRTC—a real-time communication protocol—to operate under the radar. As a result, attackers can load malicious payloads and exfiltrate stolen data without triggering standard security monitoring tools.

A New Entry Point: PolyShell Vulnerability

The attack chain begins with a critical vulnerability known as PolyShell, which affects both Magento Open Source and Adobe Commerce.

This flaw allows unauthenticated attackers to upload arbitrary executable files via the REST API. Consequently, threat actors can achieve remote code execution and deploy malicious scripts directly into vulnerable environments.

Since March 19, 2026, exploitation has surged rapidly. Security researchers observed scanning activity from over 50 IP addresses, with attacks impacting more than half of vulnerable stores. This widespread exploitation highlights how quickly threat actors weaponize newly discovered vulnerabilities.

How the WebRTC Skimmer Works

Once attackers gain access, they deploy a self-executing skimmer script. This script establishes a WebRTC peer connection to a hard-coded external IP address over UDP. It then retrieves additional malicious JavaScript, which gets injected into the checkout page.

From there, the skimmer silently captures payment details entered by customers. However, what makes this attack particularly dangerous is its communication method.

WebRTC data channels operate over DTLS-encrypted UDP rather than traditional HTTP protocols. Therefore, most network security tools—designed to inspect HTTP/HTTPS traffic—fail to detect the data exfiltration.

Additionally, even strict CSP configurations cannot block this activity. While CSP effectively restricts unauthorized HTTP connections, it does not govern WebRTC communications. As a result, even well-secured websites remain exposed.

Why This Matters for Businesses

This attack represents a significant evolution in web skimming techniques. It demonstrates that attackers are actively shifting toward less monitored communication channels to bypass modern defenses.

For CISOs and security teams, this means traditional web security controls are no longer sufficient on their own. Organizations must now consider deeper runtime monitoring, behavior-based detection, and enhanced visibility into non-HTTP traffic.

Moreover, the delay in production-ready patches increases the risk window. Although Adobe has released a fix in version 2.4.9-beta1, many organizations have yet to deploy it in live environments.

Recommended Mitigations

To reduce exposure, organizations should act immediately:

• Restrict access to sensitive directories such as /pub/media/custom_options/
• Scan systems for web shells, backdoors, and unauthorized scripts
• Monitor unusual outbound UDP traffic, especially WebRTC connections
• Implement runtime application protection and anomaly detection
• Accelerate patch management once stable updates become available