Researchers Uncover WebRTC Skimmer Bypassing Traditional Defenses

WebRTC, the browser‑based real‑time communication framework, was designed to enable peer‑to‑peer audio, video, and data sharing without plugins. Because its data channels operate over DTLS‑encrypted UDP, they fall outside the scope of traditional Content Security Policy (CSP) directives that govern HTTP resources. Security teams therefore have limited visibility into the payloads that traverse these channels, and most network appliances focus on inspecting HTTP or TLS traffic. This blind spot makes WebRTC an attractive vector for attackers seeking to smuggle malicious code past established defenses.

The Sansec team observed the technique in a skimmer aimed at a car maker’s online store. By exploiting the PolyShell flaw in Magento and Adobe Commerce, the attacker uploaded a script that forged a local WebRTC handshake and connected directly to 202.181.177.177 on UDP port 3479. The malicious script retrieves additional JavaScript over encrypted DataChannels, injects it using a stolen CSP nonce, and executes it during browser idle periods. Because the exfiltration travels over DTLS‑encrypted UDP, conventional IDS/IPS and CSP filters miss both the inbound payload and the outbound theft of payment details.

The emergence of WebRTC‑based skimmers forces a rethink of both web‑application hardening and network monitoring. Organizations should extend CSP policies to block or sandbox DataChannel creation, enforce strict origin checks, and deploy browser extensions that can surface WebRTC traffic. On the network side, deploying deep‑packet inspection capable of decoding DTLS or using anomaly‑based UDP flow analysis can surface suspicious patterns. As real‑time communication protocols become more mainstream, security vendors and developers must collaborate to embed controls that prevent their misuse, lest attackers continue to bypass legacy defenses with ease.