The WebRTC Skimmer Threat: Why real-time eCommerce monitoring is no longer optional

The eCommerce security landscape shifted in a significant way this spring. Security researchers at Sansec uncovered a novel payment skimmer that leverages WebRTC data channels, the same technology that powers video calls and real-time browser communication, to steal payment data from online stores. What makes this attack particularly alarming is that it bypasses Content Security Policy (CSP), one of the most widely deployed browser-side defences against data exfiltration.

The skimmer exploits the PolyShell vulnerability in Magento and Adobe Commerce, and according to reports, it has impacted a staggering 56.7% of targeted stores. That's not a typo. More than half.

How the WebRTC Skimmer works

Traditional payment skimmers inject malicious JavaScript into checkout pages, capturing card details and sending them to attacker-controlled servers via standard HTTP requests. Security teams have gotten reasonably good at detecting these; CSP headers can block unauthorised outbound connections, and network monitoring tools flag suspicious API calls.

The WebRTC skimmer sidesteps all of this. Instead of using HTTP, it opens a peer-to-peer WebRTC DataChannel connection to receive its payload and exfiltrate stolen data. Because WebRTC traffic doesn't pass through the same channels as regular web requests, CSP rules don't apply. Most conventional monitoring tools don't inspect WebRTC traffic at all.

The attack chain typically begins with the PolyShell vulnerability, which allows unrestricted file uploads to any Magento or Adobe Commerce store via the REST API. Once the attacker has a foothold, the skimmer is deployed, often concealed within innocuous-looking assets like SVG images or social media buttons.

The timing couldn't be more critical

This threat emerged just as Adobe released Magento Open Source 2.4.9 and Adobe Commerce 2.4.9 on May 12, 2026, a major release that includes PHP 8.5 support, enhanced security measures, and the beginning of a new monthly security patch schedule. The update addresses the PolyShell vulnerability, but patching alone doesn't solve the problem for the thousands of stores that were already compromised before the fix, or for merchants who haven't yet updated.

Adobe's shift to monthly security patches is a welcome change. It means vulnerabilities get addressed faster. But it also means merchants need to be more vigilant than ever about keeping their stores current, and more importantly, about knowing whether their store has already been compromised.

Why traditional monitoring falls short

Here's the uncomfortable truth: most eCommerce monitoring setups were not designed to detect this kind of attack. Standard application performance monitoring (APM) tools track server response times, error rates, and uptime. They're essential, but they're looking at the wrong layer.

The WebRTC skimmer operates entirely in the browser. It doesn't generate server-side errors. It doesn't slow down page loads. It doesn't trigger 500 status codes. From the server's perspective, everything looks perfectly normal while customer payment data flows silently to attackers through a peer-to-peer channel.

Even Real User Monitoring (RUM) tools, which capture front-end performance metrics, typically don't monitor WebRTC connections or detect injected scripts that behave like legitimate page components.

What's needed is client-side monitoring that goes beyond performance metrics to actively watch for anomalous behaviour: unexpected scripts loading on checkout pages, unusual network connections (including WebRTC), DOM modifications that shouldn't be there, and changes to form handling on payment pages.

AuditIQ monitors the entire customer experience

This is precisely the gap that AuditIQ was built to address. AuditIQ monitors eCommerce storefronts from the perspective of the actual customer experience, not just whether the server is responding, but what's actually happening in the browser when a shopper reaches your checkout.

AuditIQ's approach to eCommerce monitoring includes detecting unexpected client-side changes, flagging anomalous script behaviour, and alerting merchants when something on their storefront deviates from the expected baseline. When a skimmer injects itself into your checkout page, whether through a traditional HTTP exfiltration method or a novel approach like WebRTC, the modification to your page's behaviour is detectable if you're watching at the right level.

Beyond security threats, this same monitoring capability catches the everyday issues that silently erode revenue: broken add-to-cart buttons, JavaScript errors on product pages, payment gateway timeouts, and form validation bugs that cause checkout abandonment. Research shows that payment failures alone impact 1 in 5 eCommerce orders, creating an estimated $47 billion in annual revenue leakage globally. Technical checkout issues account for roughly 22% of all cart abandonments.

What merchants should do today

Given what traditional monitoring misses, taking action at both the platform and monitoring layer is essential. If you’re running Magento or Adobe Commerce, here’s where to focus immediately:

1. Update immediately to version 2.4.9 or apply the latest security patches to address the PolyShell vulnerability.
2. Scan your store for existing compromises. Sansec's eComscan tool is purpose-built for this.
3. Implement client-side monitoring that watches for anomalous behaviour on your checkout pages, not just server-side performance metrics.
4. Review your CSP headers; they're still valuable for blocking traditional attacks, even if they can't stop WebRTC-based exfiltration.
5. Monitor continuously. One-time scans aren't enough when new attack vectors emerge regularly.

The bigger picture

The WebRTC skimmer represents an evolution in eCommerce attacks that should concern every online merchant, regardless of platform. Attackers are getting more creative, and the gap between what traditional monitoring detects and what actually threatens your customers is widening.

The stores that weather these threats best aren't necessarily the ones with the biggest security budgets. They're the ones with comprehensive monitoring that watches the entire customer experience, from landing page to order confirmation, and alerts them the moment something changes.

If you'd like to see how continuous eCommerce monitoring can protect your store and your revenue, visit AuditIQ to learn more.