A newly detailed technique called FROST allows websites to monitor SSD activity through browser JavaScript, creating a new privacy vulnerability. The method reads telltale patterns in hard drive behavior without requiring special permissions.
Security researchers have detailed FROST, a technique that enables websites to track hard drive activity from within a web browser using standard JavaScript code. The vulnerability exploits timing differences in SSD operations to infer information about what users are storing and accessing on their devices.
The attack works by measuring microscopic delays in how solid-state drives respond to read requests. When an SSD accesses frequently-used files, response times differ measurably from accessing rarely-touched data. JavaScript running in a website can detect these timing variations with sufficient precision to build a profile of a user's storage patterns.
This profiling capability poses significant privacy risks. An adversary could potentially identify what applications a user has installed, what documents exist on their system, or what files they regularly access—all without explicit user consent or system-level permissions.
FROST represents a new class of side-channel attacks that target hardware behavior rather than software vulnerabilities. Unlike traditional browser exploits, this technique doesn't require users to download files or install malicious software. It operates silently while someone browses normally.
Browser vendors and security researchers are investigating mitigation strategies. Potential defenses include introducing artificial noise into SSD timing measurements, reducing the precision of JavaScript timing functions, or implementing browser-level protections that limit access to hardware performance data.
The vulnerability affects modern SSDs across different manufacturers and operating systems. Users cannot easily patch this issue at the application level, making it a systemic concern requiring coordination between browser developers, operating system vendors, and SSD manufacturers.
While no active exploits have been reported in the wild, the public disclosure of FROST means developers now have detailed instructions for implementation. Organizations handling sensitive data should monitor for updates from their browser and system providers.
Threat actors are deploying an AI-powered ransomware toolkit that automates Active Directory discovery and circumvents endpoint detection and response solutions. The advancement marks a significant escalation in ransomware attack sophistication.
Palo Alto Networks raised its adjusted earnings forecast, citing strong demand for security services as AI-related threats escalate concerns among enterprises and governments.
Password manager Dashlane disclosed that attackers compromised some customer accounts by brute-forcing its two-factor authentication system, gaining access to encrypted password vaults.
A Grand Theft Auto V cheat service suffered a security breach, with hackers stealing usernames, hashed passwords, and user data from thousands of gamers.