Researchers Say They Can Spy on Your Browsing by Measuring SSD Activity Through a Browser API
Arthur T Knackerbracket writes:
Security researchers at Graz University of Technology in Austria have published a paper describing a side-channel attack that lets a malicious website identify what other sites and apps a visitor has open by measuring SSD access latency through JavaScript inside a standard browser sandbox. The technique, called FROST (Fingerprinting Remotely using OPFS-based SSD Timing), correctly identified visited websites with roughly 89% accuracy and running applications with roughly 96% accuracy on a test Mac, requires nothing from the victim beyond visiting the attacker's page, and works across different browsers.
FROST exploits the Origin Private File System (OPFS), a browser API that lets websites create and store files on a user's local disk without prompting for permission. Previous SSD side-channel attacks that we've seen require native code running through privileged kernel interfaces, but FROST eliminates that requirement.
The team disclosed their findings to Google, Apple, and Mozilla: Google said it doesn't consider fingerprinting a security vulnerability, Apple called the attack "currently out of scope," and Mozilla acknowledged the findings without implementing fixes.
The attack creates a large OPFS file on the victim's SSD, with both Chrome and Safari allowing a website to claim up to 60% of total disk space through OPFS, which on a 256GB drive is over 150GB. The file must exceed the system's available RAM so that every random 4 KB read hits the SSD rather than the OS's page cache. When other activity generates its own disk I/O, it creates measurable latency spikes in the attacker's reads, and those timing patterns are fed into a convolutional neural network trained to recognize specific websites and applications by their I/O signatures.
Read more of this story at SoylentNews.