How the Attack Works
Researchers have uncovered a new privacy threat where malicious websites can track visitors by measuring tiny variations in SSD access times. The attack, named FROST, operates entirely within the browser sandbox using the Origin Private File System (OPFS). Without requiring native code or special permissions, a JavaScript attack creates large files on disk that force real SSD reads rather than relying on memory cache reads. By continuously monitoring storage latency while a victim browses or uses other applications, the attacker collects timing traces with sufficient detail to classify user activity.
Impact and Scope
The technique goes beyond simple website tracking. On macOS, researchers achieved an F1 score of 88.95 for predicting visited websites and 95.83 for identifying specific applications like Safari or System Settings. The attack also built a covert channel between native apps and malicious websites, reaching capacities of 891.77 bits on macOS and 661.63 bits on Linux. Because the attack requires no browser crash, malware installation, or classic exploit chain, a user only needs to visit an attacker controlled site for the tracking to begin. This makes the timing leak a practical and serious privacy concern that enables both website fingerprinting and application usage profiling.
Source: Cyber Security News
