What is a WebRTC skimmer?

A WebRTC skimmer is a type of malicious JavaScript code that infects e-commerce websites. It abuses the browser's built-in Web Real-Time Communication (WebRTC) feature to create a hidden communication channel with an attacker's server to steal sensitive data like credit card numbers.

How does this skimmer bypass Content Security Policy (CSP)?

Content Security Policy (CSP) is primarily designed to control resources loaded over standard protocols like HTTP/S. The WebRTC skimmer establishes a peer-to-peer data channel that often falls outside the rules of a typical CSP configuration. This allows it to exfiltrate stolen data without being blocked by the policy.

Is my website safe if I already have a CSP?

Not necessarily. A basic CSP that doesn't specifically restrict the connections required to establish a WebRTC data channel may not be effective against this type of attack. You should review and harden your CSP's `connect-src` directive and implement other client-side security measures.

How can I protect myself as an online shopper?

The best protection is to limit your exposure. Use virtual or single-use credit cards for online purchases. Opt for secure payment gateways like PayPal or Apple Pay when available. Always monitor your financial statements closely for any fraudulent activity.

Are browsers vulnerable because of WebRTC?

This attack is not a vulnerability in WebRTC itself, but rather an abuse of its legitimate functionality. The attackers are using a powerful feature for malicious purposes. The challenge lies in distinguishing legitimate use of WebRTC from malicious use.

WebRTC skimmer bypasses CSP to steal payment data from e-commerce sites

A new channel for digital theft

Security researchers have uncovered a sophisticated payment card skimmer that abuses a legitimate browser technology to remain undetected and siphon financial data from compromised e-commerce websites. The malware leverages Web Real-Time Communication (WebRTC) data channels to receive its instructions and exfiltrate stolen information, a technique that effectively sidesteps one of the web's most common security defenses: Content Security Policy (CSP).

The discovery, detailed in a recent report from web security firm Sansec, marks a significant evolution in the tactics used by digital skimming groups, often referred to collectively as Magecart. "Instead of the usual HTTP requests or image beacons, this malware uses WebRTC data channels to load its payload and exfiltrate stolen payment data," Sansec stated. This method allows the skimmer to operate in the shadows, outside the view of security tools configured to monitor traditional web traffic.

Technical breakdown: How WebRTC becomes a weapon

To understand the threat, one must first understand the technologies at play. Payment skimmers are malicious JavaScript code injected into the checkout pages of online stores. Their sole purpose is to capture payment card details as customers type them in and send that data to an attacker-controlled server.

WebRTC, on the other hand, is a powerful, open-source framework built into modern browsers. Its intended purpose is to enable real-time, peer-to-peer communication of audio, video, and generic data directly between browsers, without needing a central server to relay the content. This is the technology that powers browser-based video conferencing and file-sharing applications.

The attackers have cleverly turned this feature into a covert exfiltration channel. The attack unfolds in several stages:

Initial Compromise: The attackers first gain access to an e-commerce site, typically by exploiting a vulnerability in the platform, a third-party plugin, or through stolen credentials. They then inject a small, seemingly benign piece of JavaScript into the site’s code.
Establishing a Covert Channel: This initial script does not immediately start skimming. Instead, its job is to establish a WebRTC connection to a server controlled by the attackers. It creates an RTCPeerConnection and then opens an RTCDataChannel. This data channel acts as a direct, bidirectional tunnel between the victim's browser and the attacker.
Payload Delivery: Through this established data channel, the attacker sends the full skimming payload. This malicious code contains the logic to identify payment forms, capture keystrokes for fields like credit card numbers and CVVs, and package the data for exfiltration.
Data Exfiltration: As the shopper enters their payment details, the skimmer captures them. Instead of sending the stolen data using a standard HTTP POST request—which a well-configured CSP would likely block—it sends the information back through the already open WebRTC data channel.

The Content Security Policy bypass

Content Security Policy (CSP) is a browser security mechanism that gives website administrators granular control over the resources a user's browser is allowed to load. A strong CSP can prevent cross-site scripting (XSS) and other injection attacks by defining trusted sources for scripts, images, and network connections using directives like script-src and connect-src.

This WebRTC-based skimmer circumvents many CSP implementations because the policy is primarily designed to govern HTTP-based requests. While a strict connect-src directive can limit WebSocket or other connections, the peer-to-peer data transfer of WebRTC often operates outside the scope of typical configurations. Once the initial signaling to set up the connection is complete, the data flows through a channel that is not easily monitored or blocked by traditional server-side security policies, making the skimmer exceptionally stealthy.

Impact assessment: A widespread and stealthy threat

The implications of this new technique are serious and far-reaching.

E-commerce Businesses: Any online store is a potential target. Small and medium-sized businesses that may lack dedicated security teams are particularly vulnerable. A breach of this nature can lead to severe reputational damage, loss of customer trust, and potentially crippling fines under regulations like GDPR and PCI DSS.
Online Shoppers: The direct victims are consumers whose payment card details and personal information are stolen. This data is often sold on dark web marketplaces, leading to fraudulent charges and identity theft. Because the skimmer is so difficult to detect, a single compromised site could affect thousands of shoppers before the breach is discovered.
The Security Industry: This attack method forces a re-evaluation of client-side security. It demonstrates that attackers are actively researching and exploiting the full feature set of modern browsers to find gaps in our defenses. Detection tools and security policies must now account for non-HTTP data exfiltration channels.

How to protect yourself

Defending against this evolving threat requires a multi-layered approach for both site owners and consumers.

For e-commerce site administrators and developers

Audit and Harden Your CSP: Review your Content Security Policy immediately. While challenging, investigate tightening your connect-src directive to be as restrictive as possible. Explicitly denying connections to unknown hosts for WebRTC signaling may help, but this is a complex area.
Implement Subresource Integrity (SRI): Use SRI for all third-party scripts loaded on your site. This ensures that the script files have not been modified or replaced by an attacker by verifying their cryptographic hash.
Deploy Client-Side Security Monitoring: Use security solutions that monitor the behavior of JavaScript running in a user's browser. These tools can detect suspicious activities like DOM manipulation around payment forms or the initiation of unexpected network connections, including WebRTC, regardless of the exfiltration channel.
Secure Your Supply Chain: Vet all third-party services and scripts before integrating them into your site. A compromise in one of your vendors can lead to a compromise of your site.

For online shoppers

Use Temporary or Virtual Credit Cards: Many banks and privacy services offer single-use or virtual credit card numbers. If the details of a virtual card are stolen, they cannot be reused, limiting your financial exposure.
Monitor Your Statements: Regularly check your credit card and bank statements for any suspicious activity. Report any unauthorized charges to your financial institution immediately.
Prefer Trusted Payment Gateways: Whenever possible, use payment options like Apple Pay, Google Pay, or PayPal. These services tokenize your payment information, meaning the merchant website never directly handles your actual card number.
Maintain Security Hygiene: While you cannot control a website's server-side security, you can adopt defensive browsing habits. This includes using a reputable VPN service to encrypt your connection, which protects your data in transit from snooping on untrusted networks, although it does not stop skimmer code already running on a compromised site.

This WebRTC skimmer is a stark reminder that the fight for cybersecurity is a continuous cat-and-mouse game. As defenders build higher walls, attackers find new ways to tunnel underneath. It underscores the necessity for security strategies that are not just reactive, but are also predictive and adaptive to the ever-expanding capabilities of the modern web.