Researchers say they can spy on your browsing by measuring SSD activity through a browser API — claim FROST attack requires no permissions or user interaction to identify which apps and websites you're using
FROST exploits the Origin Private File System (OPFS), a browser API that lets websites create and store files on a user's local disk.
This attack vector has emerged due to the increasing reliance on browser APIs for local storage and the ongoing quest for new methods of user tracking by malicious actors, alongside the continuous research into system-level side-channel attacks.
This development highlights a critical vulnerability in fundamental web security, as it allows for pervasive user tracking without consent or detection, undermining privacy and data security assumptions from leading tech vendors.
The understanding of browser security models must adapt to include side-channel attacks through hardware interaction, requiring browser developers to re-evaluate the isolation and permissions of low-level APIs.
- · Cybersecurity researchers
- · Privacy-focused browser developers
- · Ethical hacking firms
- · Users of mainstream browsers
- · Developers relying on OPFS for privacy-sensitive data
- · Web advertising industry (if mitigated effectively)
- · Tech companies with privacy commitments
Major browser vendors will prioritize patching or re-architecting the OPFS or similar APIs to mitigate this attack.
An increase in demand for advanced privacy tools and services that actively mask or randomize SSD activity and other side-channel leakage.
Potential regulatory pressure on browser and operating system developers to implement stronger hardware-level side-channel protection in consumer products.
This signal links to a primary source. Continuum Brief monitors and indexes it as part of the live intelligence stream — we do not republish source content.
Read at Tom's Hardware