Ethical Hacking News
A new payment skimmer has been discovered that bypasses security controls by leveraging WebRTC data channels to steal sensitive payment data from e-commerce websites. The attack exploits the PolyShell vulnerability in Adobe Commerce and Magento Open Source, allowing unauthenticated attackers to upload arbitrary executables via the REST API and achieve code execution. To mitigate this threat, website owners should block access to the "pub/media/custom_options/" directory and scan for web shells, backdoors, and other malware.
Researchers discovered a new payment skimmer exploiting WebRTC data channels to receive payloads and exfiltrate sensitive payment data. The PolyShell vulnerability in Magento Open Source and Adobe Commerce allows unauthenticated attackers to upload arbitrary executables via the REST API, achieving code execution. More than 50 IP addresses have participated in scanning activities for the PolyShell attack, with 56.7% of all vulnerable stores affected. The attacks use WebRTC peer connections to a hard-coded IP address and retrieve JavaScript code for stealing payment information. Even stores with strict Content Security Policy (CSP) directives are still vulnerable to these WebRTC-based exfiltration methods due to the use of DTLS-encrypted UDP traffic. Adobe has released a fix for the PolyShell vulnerability, but it has yet to reach production versions. Website owners are advised to block access to specific directories and scan stores for web shells, backdoors, and other malware to mitigate risks. The discovery highlights the ongoing evolution of e-commerce threats and the need for continued vigilance in protecting against these attacks. Keeping software up-to-date with the latest security patches is crucial to minimize the risk of being targeted by these attacks.
In a significant advancement of skimming attacks, researchers have discovered a new payment skimmer that leverages WebRTC data channels to receive payloads and exfiltrate sensitive payment data. This new threat exploits the PolyShell vulnerability in Magento Open Source and Adobe Commerce, allowing unauthenticated attackers to upload arbitrary executables via the REST API and achieve code execution.
The attack, which targeted a car maker's e-commerce website, has been facilitated by the PolyShell vulnerability. Since its discovery, more than 50 IP addresses have participated in scanning activities, with Sansec finding PolyShell attacks on 56.7% of all vulnerable stores. The Dutch security company noted that these attacks use WebRTC peer connections to a hard-coded IP address and retrieve JavaScript code for stealing payment information.
One of the most striking aspects of this new skimmer is its use of WebRTC data channels, which bypasses Content Security Policy (CSP) directives. Sansec highlighted that even stores with strict CSPs blocking unauthorized HTTP connections are still vulnerable to these WebRTC-based exfiltration methods. The traffic itself runs over DTLS-encrypted UDP and is difficult to detect using standard network security tools.
Adobe has released a fix for the PolyShell vulnerability in version 2.4.9-beta1, but this patch has yet to reach production versions. To mitigate the risks associated with these attacks, site owners are advised to block access to the "pub/media/custom_options/" directory and scan stores for web shells, backdoors, and other malware.
The discovery of this new payment skimmer highlights the ongoing evolution of threats in e-commerce websites. As security controls and patch cycles continue to advance, attackers are continually adapting their tactics to bypass these defenses. The use of WebRTC data channels marks a significant shift in the way attackers are leveraging vulnerabilities to steal sensitive information.
In light of this discovery, it is crucial for website owners and administrators to remain vigilant and implement additional security measures to protect themselves against these types of attacks. This includes monitoring for unusual traffic patterns, implementing robust Content Security Policy directives, and conducting regular vulnerability scans for potential weaknesses in their infrastructure.
Furthermore, the exploitation of PolyShell highlights the importance of keeping software up-to-date with the latest security patches. In this instance, Adobe Commerce users should ensure that they are running version 2.4.9-beta1 or later to minimize the risk of being targeted by these attacks.
In conclusion, the emergence of a new payment skimmer exploiting WebRTC data channels and the PolyShell vulnerability in Magento Open Source and Adobe Commerce underscores the need for continued vigilance in protecting against e-commerce threats. By staying informed about emerging vulnerabilities and implementing robust security measures, website owners can minimize their exposure to these types of attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/New-WebRTC-Skimmer-Bypasses-Security-Controls-Exploits-PolyShell-Vulnerability-to-Steal-Payment-Data-ehn.shtml
https://thehackernews.com/2026/03/webrtc-skimmer-bypasses-csp-to-steal.html
https://undercodetesting.com/webrtc-malware-the-new-magento-skimmer-that-hides-in-encrypted-udp-to-steal-your-payment-data-video/
Published: Thu Mar 26 03:49:05 2026 by llama3.2 3B Q4_K_M
