Listen to this Post
Introduction: A New Era of Invisible Cyber Theft
A dangerous shift is unfolding in the world of e-commerce cybersecurity. Attackers are no longer relying on traditional, easily detectable methods to steal sensitive payment data. Instead, they are adopting stealthy, next-generation techniques that slip past even the most hardened defenses. The latest discovery by cybersecurity researchers reveals a sophisticated payment skimmer that leverages WebRTC—a technology originally designed for real-time communication—to secretly extract financial data without triggering alarms. This development signals a troubling evolution in cybercrime, where even well-protected online stores may unknowingly remain exposed.
the Original Findings
Cybersecurity experts have uncovered a new type of payment skimmer that uses WebRTC data channels to deliver malicious payloads and exfiltrate stolen data. Unlike conventional skimmers that rely on HTTP requests or image beacons, this malware operates through peer-to-peer communication, making it significantly harder to detect. The attack was observed targeting an automotive company’s e-commerce platform, exploiting a vulnerability known as PolyShell. This flaw affects Magento Open Source and Adobe Commerce platforms, allowing attackers to upload arbitrary files through the REST API without authentication and execute malicious code.
The PolyShell vulnerability has rapidly become a major threat since March 19, 2026, with over 50 IP addresses actively scanning for vulnerable systems. Alarmingly, researchers found that more than half—approximately 56.7%—of susceptible online stores have already been targeted. Once inside, the skimmer executes automatically, establishing a WebRTC connection to a hardcoded IP address using UDP. It then retrieves additional malicious JavaScript, which is injected into the website to capture payment details entered by users.
One of the most concerning aspects of this attack is its ability to bypass Content Security Policy (CSP), a widely used security mechanism designed to block unauthorized data transfers. Because WebRTC traffic operates over encrypted UDP channels instead of HTTP, traditional security tools that monitor web traffic fail to detect the data exfiltration. This means stolen payment information can leave the system completely unnoticed.
Although Adobe has released a patch addressing the PolyShell vulnerability in version 2.4.9-beta1, it has not yet been rolled out to stable production environments. In the meantime, security experts recommend that website administrators block access to vulnerable directories and conduct thorough scans for malware, including web shells and backdoors, to mitigate the risk.
What Undercode Say:
A Silent Revolution in Cybercrime Tactics
The use of WebRTC in cyberattacks represents a fundamental shift in how data exfiltration is performed. For years, defenders have focused on monitoring HTTP and HTTPS traffic, building sophisticated filters and anomaly detection systems around these protocols. This new method effectively renders those defenses obsolete by moving the battlefield into a less scrutinized communication channel.
Why WebRTC Is the Perfect Weapon
WebRTC was never designed with this threat model in mind. Its peer-to-peer architecture, combined with encrypted UDP transport, creates a blind spot for most enterprise security systems. Unlike traditional web traffic, WebRTC connections are harder to log, analyze, or block without disrupting legitimate services such as video calls or live chat systems.
PolyShell: The Real Entry Point of Chaos
While the skimmer itself is highly advanced, the real enabler is the PolyShell vulnerability. This flaw essentially hands attackers the keys to the system by allowing unauthenticated file uploads. Once access is gained, deploying advanced payloads like the WebRTC skimmer becomes trivial. The speed at which this vulnerability has been exploited—impacting over half of vulnerable stores—highlights how quickly attackers can weaponize newly discovered flaws.
Mass Exploitation Signals Organized Campaigns
The involvement of more than 50 IP addresses in scanning activity suggests a coordinated effort rather than isolated incidents. This level of activity often indicates the presence of automated botnets or organized cybercriminal groups that are systematically targeting e-commerce platforms at scale.
CSP Bypass: A Wake-Up Call for Security Teams
Content Security Policy has long been considered a reliable defense against data exfiltration. However, this attack demonstrates that CSP alone is no longer sufficient. Security teams must rethink their strategies and expand visibility beyond traditional web protocols to include peer-to-peer communication channels like WebRTC.
Detection Challenges Are Growing Exponentially
One of the most troubling aspects of this attack is its stealth. Because the data is transmitted over encrypted UDP, even advanced intrusion detection systems may fail to recognize the exfiltration. This creates a scenario where breaches can persist for extended periods without detection, increasing the potential damage.
Patch Delays Create a Dangerous Window
Although a fix exists, its absence from production releases leaves a critical window of vulnerability. Many organizations delay updates due to compatibility concerns, but in this case, hesitation could prove costly. Attackers are already exploiting the gap aggressively.
E-Commerce Platforms Remain Prime Targets
Online stores continue to be lucrative targets for cybercriminals due to the direct access to payment data. The combination of high-value information and often inconsistent security practices makes them an ideal environment for deploying advanced skimmers.
The Future of Skimming Attacks
This development may mark the beginning of a new generation of skimmers that rely on unconventional communication protocols. As defenders adapt, attackers will likely continue to explore other overlooked technologies to maintain their advantage.
Urgency for Proactive Defense
Organizations can no longer rely solely on reactive security measures. Proactive monitoring, threat hunting, and rapid patch management are essential to staying ahead of evolving threats like this one.
🔍 Fact Checker Results
Verified Use of WebRTC for Data Exfiltration
✅ Confirmed that attackers are leveraging WebRTC data channels instead of traditional HTTP-based methods.
PolyShell Vulnerability Exploitation
✅ Evidence supports widespread exploitation affecting a significant percentage of vulnerable Magento and Adobe Commerce stores.
Patch Availability but Limited Deployment
❌ While a fix exists, it is not yet widely implemented in stable production environments, leaving systems exposed.
📊 Prediction
Rise of Non-Traditional Attack Vectors
Cybercriminals will increasingly adopt unconventional protocols like WebRTC to evade detection, forcing a major shift in cybersecurity strategies.
Acceleration of Zero-Day Exploitation
The rapid exploitation of PolyShell suggests future vulnerabilities will be weaponized even faster, reducing response time for defenders.
Security Tools Will Need Reinvention
Traditional network monitoring tools will evolve to analyze encrypted peer-to-peer traffic, or risk becoming obsolete in the face of next-gen threats.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
