The Stealthy Evolution of E-Commerce Skimmers: How WebRTC Bypasses the Digital Moat

The Shocking Velocity of the PolyShell Exploits

In the week following March 19, 2026, a staggering 56.7% of all vulnerable Magento and Adobe Commerce stores were compromised by a single exploit chain. This statistic demands a rigorous, analytical breakdown of the systemic flaws that allowed such a rapid and pervasive infection. We are not merely looking at a standard malware outbreak; we are witnessing the emergence of a sophisticated attack vector that weaponizes legitimate web protocols to render traditional security perimeters obsolete.

Behind the scenes, the catalyst for this digital epidemic is a vulnerability known as PolyShell. This flaw impacts Magento Open Source and Adobe Commerce, providing unauthenticated attackers with a path to upload arbitrary executables via the REST API. Once code execution is achieved, the attackers don't just stop at server-side control. They install a highly specialized payment skimmer that represents a significant leap in stealth technology.

Breaking the Mirror: How WebRTC Bypasses CSP

For years, security professionals have relied on Content Security Policy (CSP) as a robust defense against cross-site scripting and data exfiltration. By design, a well-configured CSP tells the browser exactly which domains are trusted. If a malicious script tries to send stolen credit card data to an unauthorized server via a standard HTTP request, the browser blocks it.

However, the PolyShell skimmer employs a nuanced workaround: WebRTC (Web Real-Time Communication) data channels. Originally designed for low-latency, peer-to-peer communication—think video calls or file sharing—WebRTC allows data to flow directly between clients or to a STUN/TURN server.

In practice, many CSP implementations are not granular enough to account for WebRTC. While a security team might strictly monitor connect-src for traditional API calls, the decentralized nature of WebRTC often slips through the cracks. The skimmer uses these data channels to load its malicious payload and exfiltrate sensitive payment information. From a risk perspective, this turns a legitimate feature into a digital Trojan horse, allowing stolen data to bypass the castle moat of traditional network filtering.

The Anatomy of a PolyShell Attack

Assessing the attack surface reveals a multi-stage process that is as efficient as it is malicious. The attack begins with the exploitation of the REST API, a mission-critical component of modern e-commerce that is often left exposed for the sake of interoperability. Because the vulnerability allows for unauthenticated uploads, the barrier to entry is precariously low.

Once the attacker gains a foothold, they inject a script into the checkout page. Curiously, this script does not behave like the skimmers of five years ago. I remember investigating early MageCart incidents where the malware would simply send a GET request with base64-encoded data in the URL. It was noisy and easy to spot in server logs. In contrast, the PolyShell skimmer is nearly invisible. By using WebRTC, the traffic looks like a standard peer-to-peer handshake, making forensic analysis a nightmare for incident responders who are only looking for suspicious HTTP POST requests.

Why Patching Alone Isn't a Silver Bullet

Patching is often described as plugging holes in a ship's hull, and while essential, it is rarely a comprehensive solution on its own. Notwithstanding the availability of fixes, the speed of the PolyShell rollout—with over 50 IP addresses participating in mass scanning—suggests that many organizations are struggling to keep pace with the threat landscape.

At the architectural level, the problem lies in the inherent trust we place in third-party scripts and built-in browser features. When a store is compromised, the data breach acts like an oil spill; the environmental and reputational disaster spreads far beyond the initial point of impact. For the end-user, the experience is transparent and seemingly secure, yet their most sensitive financial data is being funneled through an encrypted, decentralized channel directly into the hands of a threat actor.

Proactively Speaking: Defensive Measures

To build a more resilient defense against this new breed of skimmer, organizations must look beyond the out-of-the-box configurations. A proactive security posture requires a multifaceted approach to data integrity and privacy.

1. Audit REST API Access: Ensure that your Magento or Adobe Commerce REST API is not exposed to the public internet unless absolutely necessary. Implement stringent IP whitelisting or robust authentication layers.
2. Strengthen CSP Directives: Your Content Security Policy must be updated to address WebRTC. Specifically, look at the connect-src directive and consider using media-src or specific WebRTC-related restrictions if your platform supports them.
3. Integrity Monitoring: Use File Integrity Monitoring (FIM) to detect unauthorized changes to your e-commerce codebase. Since the skimmer must be injected into the frontend, any change to the checkout logic should trigger an immediate alert.
4. Behavioral Analysis: Look for unusual WebRTC traffic originating from your checkout pages. Under this framework, any P2P connection initiated from a page that should only be processing payments is a massive red flag.

Ultimately, the PolyShell incident serves as a reminder that the network perimeter is an obsolete concept in the age of sophisticated client-side attacks. We must treat every browser feature as a potential exfiltration path.

Actionable Next Step

If you are running Magento Open Source or Adobe Commerce, your immediate priority is to verify your patch level against the PolyShell vulnerability. Once the hole is plugged, conduct a forensic audit of your checkout scripts to ensure no WebRTC-based skimmers are currently active. Do not wait for a notification from your payment processor; the speed of this attack suggests that by the time you hear about it, the data has already been sold on the dark web.

Sources:

• Sansec Threat Intelligence Report on WebRTC Skimmers.
• Adobe Security Bulletin for Magento and Adobe Commerce.
• WebRTC Protocol Specifications and Security Guidelines.