WebRTC Skimmer Bypasses CSP to Steal Payment Data from E-Commerce Sites
Sansec researchers identified a payment skimmer using WebRTC data channels to bypass CSP and exfiltrate card data from e-commerce sites instead of HTTP or beacons.
Cybersecurity researchers have discovered a new payment skimmer that uses WebRTC data channels as a means to receive payloads and exfiltrate data, effectively bypassing security controls including Content Security Policy (CSP). Instead of relying on conventional HTTP requests or image beacons, the malware employs WebRTC data channels to load its payload and transmit stolen payment data from compromised e-commerce sites. "Instead of the usual HTTP requests or image beacons, this malware uses WebRTC data channels to load its payload and exfiltrate stolen payment data," Sansec said in a report published this week. The attack represents an evolution in skimming tactics designed to evade traditional web security measures. Source: https://thehackernews.com/2026/03/webrtc-skimmer-bypasses-csp-to-steal.html
SENTINEL: Everyday online shoppers could start seeing more surprise credit-card fraud even on sites that look secure, because thieves now have a quieter back-door way to grab payment details. Down the road this probably means we'll lean harder on phone wallets or one-time card numbers just to feel safe buying stuff.
Sources (1)
- [1]WebRTC Skimmer Bypasses CSP to Steal Payment Data from E-Commerce Sites(https://thehackernews.com/2026/03/webrtc-skimmer-bypasses-csp-to-steal.html)