New browser attack tracks SSDs
TL;DR: A new side-channel attack called FROST allows websites to track users across different sites without cookies. It exploits modern browser APIs to measure subtle interactions with a computer's solid-state drive (SSD), creating a unique fingerprint to identify visitors and monitor their browsing activity.
Key facts
- Category
- Cybersecurity
- Impact
- Critical
- Published
- Source
- Ars Technica
Full summary
A new browser-based attack called FROST can track users across websites by analyzing the activity of their solid-state drive (SSD).
Researchers have detailed a new side-channel attack called FROST that enables cross-site user tracking by analyzing a computer's solid-state drive (SSD). The technique uses standard browser APIs to run computational tasks and precisely measure the subtle performance variations of the underlying SSD. These timing differences create a unique hardware fingerprint, allowing a website to identify and follow a user across different domains without relying on cookies or other common identifiers. This method is effective because different SSD models and even individual drives exhibit distinct response patterns that can be detected and used as a persistent identifier.
The FROST attack represents a significant new threat to user privacy because it can bypass conventional anti-tracking protections like cookie blockers and private browsing modes. For developers, security teams, and CTOs, it highlights how seemingly benign browser features designed for performance can be repurposed for surveillance. The attack requires no special permissions and can run silently in the background of a webpage. This discovery puts pressure on browser vendors to re-evaluate the security of low-level APIs, as they can expose hardware-level information that was previously considered inaccessible, creating a new and challenging front in the battle for online privacy.
Why it matters
This attack demonstrates a new vector for user tracking that bypasses traditional privacy protections like cookie blockers. It shows how standard browser APIs can be exploited to extract unique hardware fingerprints, creating a new challenge for web security and user privacy.
Business impact
Businesses handling sensitive user data must be aware of this emerging threat class. It could undermine user trust and create compliance risks if third-party scripts on a company's website use such techniques. Security teams need to consider browser-based hardware fingerprinting in their threat models.
Tags
Related on Notifire
Primary source: Ars Technica