Introduction to WebRTC-Based Payment Skimmers
Recent cybersecurity investigations have uncovered a novel payment skimmer utilizing WebRTC data channels for both payload delivery and data exfiltration. Unlike traditional methods relying on HTTP requests or image beacons, this malware leverages the capabilities of WebRTC to circumvent established security controls. This approach enables attackers to bypass mechanisms such as Content Security Policy (CSP), which are often employed to block unauthorized HTTP traffic. The encrypted nature of WebRTC traffic further complicates detection through conventional network security tools.
The malware specifically targets e-commerce platforms by injecting malicious JavaScript code into web pages through a WebRTC peer connection. This technique ensures that even stores with stringent CSP configurations remain vulnerable, as CSP does not govern WebRTC-based traffic. The encrypted UDP traffic, facilitated by DTLS, makes it nearly impossible for HTTP-focused monitoring tools to detect the exfiltration of payment information.
PolyShell Vulnerability in Magento and Adobe Commerce
The skimmer exploits the newly identified PolyShell vulnerability, which affects both Magento Open Source and Adobe Commerce platforms. This flaw allows unauthenticated attackers to upload arbitrary executables via the REST API, enabling remote code execution. The vulnerability stems from inadequate validation in the ImageProcessor::processImageContent function, which fails to verify that uploaded files match their declared MIME types.
Attackers can exploit this flaw by uploading a polyglot file to the pub/media/custom_options directory through a POST request. If the web server is misconfigured, these files become executable, allowing attackers to deploy web shells or inject malicious scripts. Adobe has released a fix in version 2.4.9-beta1, but many production systems remain unpatched, leaving them exposed to exploitation.
Implications of Web Server Misconfigurations
The impact of the PolyShell vulnerability is significantly amplified by improper web server configurations. For instance, deviations from the recommended Nginx or Apache settings can inadvertently allow access to uploaded files, making them executable. Specific misconfigurations, such as removing deny all directives or neglecting .htaccess files, open the door to XSS attacks and malicious code execution.
Security researchers emphasize the importance of adhering to Adobe's suggested configurations to mitigate risks. Proper implementation of access control measures, particularly for directories like pub/media/custom_options, is essential. Failure to do so can result in breaches and the unauthorized execution of malicious payloads.
Challenges in Detecting WebRTC Exploitation
The use of WebRTC introduces a significant challenge for cybersecurity defenses. Unlike HTTP traffic, WebRTC operates over DTLS-encrypted UDP channels, making it invisible to standard network monitoring tools. This unique characteristic complicates efforts to identify and block malicious activities, as traditional signature-based detection mechanisms are ineffective.
Additionally, the hardcoded nature of the skimmer's IP address ensures direct communication with the attacker's server, bypassing intermediary systems that might otherwise raise alarms. This highlights the need for advanced monitoring solutions capable of analyzing non-HTTP protocols to detect anomalous activity effectively.
Recommended Mitigation Strategies
Addressing the risks associated with the PolyShell vulnerability and the WebRTC-based skimmer requires a multi-faceted approach. First, site owners should promptly apply the patch released in Adobe Commerce version 2.4.9-beta1 to close the identified security gap. Delays in patching can leave systems vulnerable to ongoing exploitation attempts.
Second, administrators must rigorously audit their web server configurations to ensure compliance with security best practices. Blocking access to the pub/media/custom_options directory and enforcing strict PHP execution restrictions are critical steps in minimizing exposure. Regular scanning for web shells and other backdoors should also be prioritized to detect and remove any existing threats.