嗯,用户让我帮忙总结一篇文章的内容,控制在一百个字以内,而且不需要特定的开头。首先,我需要理解文章的主要内容。这篇文章讲的是研究人员发现了一种新的支付信息窃取工具,利用WebRTC技术绕过传统安全防御。 好的,我得抓住几个关键点:WebRTC、支付数据窃取、绕过传统防御、利用PolyShell漏洞攻击汽车制造商的电商网站。这些都是核心信息。 接下来,我需要把这些信息浓缩成一句话,不超过一百个字。可能的结构是:研究人员发现利用WebRTC的新支付信息窃取工具,绕过传统安全防御,并通过PolyShell漏洞攻击特定网站。 检查一下是否涵盖了所有关键点:WebRTC、窃取支付数据、绕过防御、PolyShell漏洞、攻击目标。是的,都包括进去了。 最后,确保语言简洁明了,没有多余的词汇。这样用户就能快速理解文章的核心内容了。 </think> 研究人员发现一种新型支付信息窃取工具,利用WebRTC技术绕过传统安全防御机制,并通过PolyShell漏洞攻击某汽车制造商电商平台。 2026-3-26 11:30:40 Author: securityaffairs.com(查看原文) 阅读量:3 收藏
Researchers uncover WebRTC skimmer bypassing traditional defenses
Researchers found a new skimmer using WebRTC to steal and send payment data, bypassing traditional security controls.
Sansec researchers discovered a new payment skimmer that uses WebRTC data channels instead of typical web requests to load malicious code and exfiltrate stolen payment data.
“What sets this attack apart is the skimmer itself. Instead of the usual HTTP requests or image beacons, this malware uses WebRTC DataChannels to load its payload and exfiltrate stolen payment data.” reported Sansec. “This is the first time Sansec has observed WebRTC used as a skimming channel.”
This technique helps it evade standard security defenses, making detection more difficult compared to traditional skimmers. The researchers pointed out that WebRTC connections are not controlled by standard Content Security Policy rules, allowing attackers to bypass protections even on secure sites. Since support for WebRTC-specific controls is limited and rarely used, most sites remain exposed.
Additionally, WebRTC uses encrypted UDP traffic instead of HTTP, making it harder for network security tools to detect stolen data being transmitted.
The attack targeted a car maker’s e-commerce site by exploiting the PolyShell vulnerability in Magento and Adobe Commerce, which allows attackers to upload malicious files and execute code without authentication. Since March 19, 2026, the flaw has been widely exploited, with scanning from over 50 IPs and attacks affecting more than half of vulnerable stores.
The skimmer is a self-executing script that creates a WebRTC connection to a hardcoded attacker server (“202.181.177[.]177” over UDP port 3479), bypassing traditional web controls.
It forges the entire connection setup locally, avoiding the need for a signaling server, and directly connects to the attacker’s IP over an encrypted DataChannel.
Once connected, it receives malicious JavaScript in chunks, stores it, and executes it when the connection closes or after a short delay. To evade defenses, it steals a valid CSP nonce from existing scripts and uses it to inject the payload, bypassing strict security policies. If that fails, it falls back to other execution methods.
The payload runs quietly during browser idle time, reducing detection risk, and enables attackers to inject code into the page to steal sensitive data such as payment information.
“The traffic itself is also harder to detect. WebRTC DataChannels run over DTLS-encrypted UDP, not HTTP. Network security tools that inspect HTTP traffic will never see the stolen data leave.” concludes the report that also provides Indicators of Compromise (IoCs).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, skimmer)
如有侵权请联系:admin#unsafe.sh