A newly detailed technique called FROST allows websites to monitor SSD activity through browser JavaScript, creating a new privacy vulnerability. The method reads telltale patterns in hard drive behavior without requiring special permissions.
Security researchers have detailed FROST, a technique that enables websites to track hard drive activity from within a web browser using standard JavaScript code. The vulnerability exploits timing differences in SSD operations to infer information about what users are storing and accessing on their devices.
The attack works by measuring microscopic delays in how solid-state drives respond to read requests. When an SSD accesses frequently-used files, response times differ measurably from accessing rarely-touched data. JavaScript running in a website can detect these timing variations with sufficient precision to build a profile of a user's storage patterns.
This profiling capability poses significant privacy risks. An adversary could potentially identify what applications a user has installed, what documents exist on their system, or what files they regularly access—all without explicit user consent or system-level permissions.
FROST represents a new class of side-channel attacks that target hardware behavior rather than software vulnerabilities. Unlike traditional browser exploits, this technique doesn't require users to download files or install malicious software. It operates silently while someone browses normally.
Browser vendors and security researchers are investigating mitigation strategies. Potential defenses include introducing artificial noise into SSD timing measurements, reducing the precision of JavaScript timing functions, or implementing browser-level protections that limit access to hardware performance data.
The vulnerability affects modern SSDs across different manufacturers and operating systems. Users cannot easily patch this issue at the application level, making it a systemic concern requiring coordination between browser developers, operating system vendors, and SSD manufacturers.
While no active exploits have been reported in the wild, the public disclosure of FROST means developers now have detailed instructions for implementation. Organizations handling sensitive data should monitor for updates from their browser and system providers.
Nearly 2,000 WordPress sites have been infected with malware that uses Steam Community profile comments to conceal command-and-control communications, researchers discovered.
A newly discovered Instagram vulnerability allows attackers to hijack accounts through an embarrassingly straightforward method. The flaw has drawn widespread attention across security circles for its sheer lack of sophistication.
Password manager Dashlane has confirmed that hackers used brute force attacks to compromise approximately 20 user password vaults. Multiple users report being locked out of their accounts following login attempts from unfamiliar locations and devices.
Security researchers discovered malicious npm packages affecting Red Hat Cloud Services infrastructure. The discovery has triggered investigation into the scope and potential impact across the platform.