Researchers have discovered that websites can measure solid-state drive activity through the browser using JavaScript, creating a new privacy vulnerability for visitors.
A new attack vector has emerged that allows websites to infer what files users have stored on their computers by measuring SSD activity patterns through the browser.
The technique works by analyzing timing variations in how quickly data is accessed from storage. When a file exists on a user's SSD, it loads faster than when the system needs to fetch data from elsewhere. Websites can detect these subtle timing differences using simple JavaScript running in the browser.
Researchers demonstrated that this method can identify whether specific files—such as documents, applications, or media—are present on a user's device. The attack requires no special permissions and works across different browsers and operating systems.
The vulnerability is significant because it reveals information about users without their knowledge or consent. An attacker could potentially determine:
- What applications are installed
- Whether specific files or folders exist
- User behavior patterns based on file access
- Information about system configuration
This creates privacy concerns beyond traditional browser tracking. Unlike cookies or fingerprinting techniques that websites already use, SSD activity monitoring is nearly invisible and difficult to detect or prevent.
Current browsers offer limited defenses against this type of attack. Mitigations would require changes to how browsers handle timing measurements or access to storage information. Some browsers have already implemented protections against similar timing-based attacks, but those may not fully address this specific vulnerability.
The discovery adds to growing concerns about what information websites can extract from visitor devices. Privacy advocates recommend browser developers implement protections, while users have limited recourse beyond using privacy-focused browsers with additional hardening options.
The research highlights how web technologies initially designed for legitimate purposes can be repurposed for surveillance. As browsers become more powerful, the potential for misuse of their capabilities expands accordingly.
A new browser fingerprinting vector has emerged in Chromium 148, where the Math.tanh function produces different results across operating systems. This discrepancy can be exploited to identify a user's underlying OS without explicit permission.
Kaseya is hosting a webinar on strengthening MSP resilience through SaaS backups and business continuity strategies. The session focuses on how recovery capabilities prove critical when security defenses are breached.
A new variant of RedHook Android malware abuses Wireless ADB (Android Wireless Debugging) to gain shell-level privileges without requiring a computer connection. This represents a significant escalation in the malware's capabilities.
Fraudsters are creating convincing counterfeit news articles impersonating major publishers like the Guardian to direct social media users to bogus investment sites. The fake stories feature fabricated celebrity endorsements and financial narratives designed to establish credibility.