WebRTC Skimmer Bypasses CSP to Steal Payment Data from E-Commerce Sites

WebRTC Skimmer Bypasses CSP to Steal Payment Data from E-Commerce Sites
好的，我需要帮用户总结这篇文章，控制在100字以内。首先，文章讲的是网络安全研究人员发现了一种新的支付数据窃取软件，它利用WebRTC数据通道来接收有效载荷和外泄数据，绕过了安全控制。攻击目标是一个汽车制造商的电子商务网站，利用了PolyShell漏洞，影响了Magento和Adobe Commerce。该漏洞允许未经身份验证的攻击者通过REST API上传任意可执行文件并执行代码。攻击者使用WebRTC，因为它绕过了CSP策略，并且流量是加密的UDP，难以检测。Adobe已经发布了修复补丁，但尚未应用到生产版本。建议网站管理员阻止访问特定目录并扫描恶意软件。现在我要把这些信息浓缩到100字以内。首先点明新支付数据窃取软件利用WebRTC绕过安全控制。然后提到攻击目标和使用的PolyShell漏洞。接着说明WebRTC如何避开CSP和检测困难。最后提到修复补丁和建议措施。这样组合起来应该能涵盖主要内容，并且符合字数限制。 </think> 研究人员发现一种新型支付数据窃取软件，利用WebRTC数据通道绕过安全控制，从汽车制造商电商平台窃取支付信息。该攻击借助PolyShell漏洞，在Magento和Adobe Commerce系统中上传恶意代码并执行。WebRTC通信通过加密UDP传输，避开CSP限制且难以检测。Adobe已发布修复补丁但尚未广泛应用，建议商家阻止特定目录访问并扫描恶意软件。 2026-3-26 06:53:0 Author: thehackernews.com(查看原文) 阅读量:3 收藏

Cybersecurity researchers have discovered a new payment skimmer that uses WebRTC data channels as a means to receive payloads and exfiltrate data, effectively bypassing security controls.

"Instead of the usual HTTP requests or image beacons, this malware uses WebRTC data channels to load its payload and exfiltrate stolen payment data," Sansec said in a report published this week.

The attack, which targeted a car maker's e-commerce website, is said to have been facilitated by PolyShell, a new vulnerability impacting Magento Open Source and Adobe Commerce that allows unauthenticated attackers to upload arbitrary executables via the REST API and achieve code execution.

Notably, the vulnerability has since come under mass exploitation since March 19, 2026, with more than 50 IP addresses participating in the scanning activity. The Dutch security company said it has found PolyShell attacks on 56.7% of all vulnerable stores.

The skimmer is designed as a self-executing script that establishes a WebRTC peer connection to a hard-coded IP address ("202.181.177[.]177") over UDP port 3479 and retrieves JavaScript code that's subsequently injected into the web page for stealing payment information.

The use of WebRTC marks a significant evolution in skimmer attacks, as it bypasses Content Security Policy (CSP) directives.

"A store with a strict CSP that blocks all unauthorized HTTP connections is still wide open to WebRTC-based exfiltration," Sansec noted. "The traffic itself is also harder to detect. WebRTC DataChannels run over DTLS-encrypted UDP, not HTTP. Network security tools that inspect HTTP traffic will never see the stolen data leave."

Adobe released a fix for PolyShell in version 2.4.9-beta1 released on March 10, 2026. But the patch has yet to reach the production versions.

As mitigations, site owners are recommended to block access to the "pub/media/custom_options/" directory and scan the stores for web shells, backdoors, and other malware.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

文章来源: https://thehackernews.com/2026/03/webrtc-skimmer-bypasses-csp-to-steal.html
如有侵权请联系:admin#unsafe.sh