FROST attack uses SSD timing to fingerprint browsers and spy on open apps
Original source
Websites have a new way to spy on visitors: analyzing their SSD activity
Hacker News →Researchers have demonstrated FROST (Fingerprinting Remotely using OPFS-based SSD Timing), a browser-based side-channel attack that infers what other websites and applications a visitor has open by measuring contention on their solid-state drive. The technique runs entirely in JavaScript through the Origin Private File System, an isolated storage area browsers grant to any site without user interaction, and works across tabs and even across separate browsers on the same machine.
The attack belongs to a broader class of contention side channels, where timing variations in a shared resource leak information about competing processes. Earlier SSD-based attacks required native code or local access; FROST collapses that barrier by piggybacking on legitimate web platform APIs. A visitor only has to load a malicious page for the fingerprinting to begin.
The finding underscores a recurring tension as browsers absorb the capabilities of full desktop suites: each new storage, compute, or filesystem primitive widens the attack surface for inference attacks that vendors have historically been slow to mitigate. Hardening will likely require coarsening OPFS I/O timing or further isolating per-origin storage at the OS level.
Read the full article
Continue reading at Hacker News →This is an AI-generated summary. Read the original for the full story.