New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing
Summary
A new attack named FROST allows malicious websites to track user browsing activity and app usage by measuring the timing discrepancies of Solid State Drive (SSD) operations via JavaScript. This technique requires no native code, extensions, or user permission, exploiting the drive's contention as websites and apps are accessed.
IFF Assessment
The FROST attack represents a novel and stealthy method for tracking users without their explicit consent, posing a significant privacy and security risk.
Defender Context
Defenders should be aware of this novel side-channel attack that leverages SSD timing to infer user browsing habits. While not a direct exploit of a software vulnerability, it highlights the need for browser and OS vendors to investigate mitigations against such timing-based information leakage. Users may need to be educated about the potential for passive tracking, even on seemingly innocuous websites.