• Websites have a new way to spy on visitors: Analyzing their SSD activity

    From Nomen Nescio@nobody@dizum.com to alt.comp.os.windows-11, alt.privacy.anon-server, comp.mobile.android on Fri May 29 12:47:08 2026
    From Newsgroup: alt.privacy.anon-server

    Over the decades, there has been no shortage of sites using clever
    techniques to covertly track visitorsA browsing histories, device
    fingerprints, and keystrokes and mouse movements in real time. Even Meta
    and Yandex were recently caught joining in the privacy-invasive
    free-for-all.

    Now sites have a new way to spy on their visitors: measuring subtle interactions with their solid-state drives. The technique, named FROST (fingerprinting remotely using OPFS-based SSD timing), allows sites to
    monitor other sites a visitor is viewing and what apps are open on their devices.

    A side channel based on contention
    The technique, laid out in a research paper, exploits a side channel, a
    form of leak resulting from physical manifestations such as
    electromagnetic emanations, data caches, or the time required to
    complete a task. By measuring the manifestations, attackers can decrypt encrypted traffic and infer other confidential data.

    The attack that FROST uses is known as a contention side channel, which measures the interaction of various processes all using (or competing
    for) a given resource. By measuring the timing of certain I/O
    (input-output) operations of the SSD a visitor is using, the researchers
    were able to determine the websites open in other tabsueven on other browsersuand the apps that were open on the visitorAs device. FROST
    requires no interaction from the visitor other than opening the site
    hosting the attack.

    oWeb browsers have evolved from simple document viewers into complex
    platforms capable of running sophisticated applications,o the paper
    authors wrote. oCompanies like Google, Microsoft, and Adobe have
    developed full-fledged office suites, photo- and video editors, or even integrated development environments (IDEs) that run entirely within the browser.o The authors went on to note: oWhile these features enhance the capabilities of web applications and allow completely novel use cases,
    they also increase the browserAs attack surface, and some have already
    been shown to introduce new vulnerabilities.o

    Unlike previous contention side-channel attacks on SSDs, FROST runs
    exclusively in the browser. It uses JavaScript that interacts with the
    OPFS (origin private file system), an allocated storage space thatAs
    reserved for a specific site to run code needed to complete a given
    task. Websites can create one with no interaction required by the
    visitor.

    While each file system is sandboxed, meaning itAs isolated from other
    websites and from the device system itself, the JavaScript can measure
    the I/O interactions. Then, by running those interactions through a
    pretrained convolutional neural networkua system that uses deep learning
    to analyze text, audio, and imagesuthe attacker can deduce various apps
    and websites open on the device.

    oThe attacker continuously measures SSD contention by performing random
    reads from a large OPFS file,o the researchers explained. oSSD
    contention caused by user activity causes measurable latency differences
    for these read operations. By training a convolutional neural network
    (CNN) on these traces, the attacker can fingerprint user activity on the
    host system by classifying new traces using the trained model.o

    The technique has its limitations. First, the OPFS file must be
    extremely largeulikely a gigabyte or more. That requirement means that
    attacks at scale would inevitably be detected by many users.
    Additionally, the OPFS file must be stored on the same SSD the visitor
    is using. This isnAt usually a problem for tracking open websites, since
    the OPFS file is stored in the browserAs default location. In the event
    apps are using a separate SSD drive for apps, those apps couldnAt be
    detected by FROST.

    One of the best ways to prevent FROST attacks is to close tabs as soon
    as theyAre no longer needed. More savvy users can monitor the creation
    and size of OPFS files allocated by unknown websites. The researchers
    proposed ways for browser makers to shut down the side channel. One such
    method is to limit the maximum size of such files that are allowed.
    There are no indications FROST attacks have been performed in the wild.

    The researchers performed the full Frost attack on an M2 Mac. On Linux,
    they showed that the underlying primitive (measuring SSD access latency
    traces from JavaScript) works, but didnAt run the full attack.

    oHowever, since the performance of the primitive is similar between
    macOS and Linux, we expect similar performance for the full
    classification,o Hannes Weissteiner, one of the co-authors, wrote in an
    email. oIn principle, it would be possible to train a model on any
    system activity that reliably generates SSD accesses.o

    The researchers did not test Windows.

    The paper linked above provides many more technical details. The
    research is scheduled to be presented at the DIMVA conference in July.

    https://arstechnica.com/security/2026/05/websites-have-a-new-way-to-spy-o n-visitors-analyzing-their-ssd-activity/

    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From 1011 1010 1101@noreply@mixmin.net to alt.comp.os.windows-11, alt.privacy.anon-server, comp.sys.mac.advocacy on Sat May 30 07:18:13 2026
    From Newsgroup: alt.privacy.anon-server

    Nomen Nescio wrote:
    Over the decades, there has been no shortage of sites using clever
    techniques to covertly track visitorsrCO browsing histories, device fingerprints, and keystrokes and mouse movements in real time. Even Meta
    and Yandex were recently caught joining in the privacy-invasive
    free-for-all.

    interactions with their solid-state drives. The technique, named FROST (fingerprinting remotely using OPFS-based SSD timing), allows sites to monitor other sites a visitor is viewing and what apps are open on their devices.

    A side channel based on contention
    The technique, laid out in a research paper, exploits a side channel, a
    form of leak resulting from physical manifestations such as
    electromagnetic emanations, data caches, or the time required to
    complete a task. By measuring the manifestations, attackers can decrypt encrypted traffic and infer other confidential data.

    The attack that FROST uses is known as a contention side channel, which measures the interaction of various processes all using (or competing
    for) a given resource. By measuring the timing of certain I/O
    (input-output) operations of the SSD a visitor is using, the researchers
    were able to determine the websites open in other tabsrCoeven on other browsersrCoand the apps that were open on the visitorrCOs device. FROST requires no interaction from the visitor other than opening the site
    hosting the attack.

    rCLWeb browsers have evolved from simple document viewers into complex platforms capable of running sophisticated applications,rCY the paper
    authors wrote. rCLCompanies like Google, Microsoft, and Adobe have
    developed full-fledged office suites, photo- and video editors, or even integrated development environments (IDEs) that run entirely within the capabilities of web applications and allow completely novel use cases,
    they also increase the browserrCOs attack surface, and some have already
    been shown to introduce new vulnerabilities.rCY

    Unlike previous contention side-channel attacks on SSDs, FROST runs exclusively in the browser. It uses JavaScript that interacts with the
    OPFS (origin private file system), an allocated storage space thatrCOs reserved for a specific site to run code needed to complete a given
    task. Websites can create one with no interaction required by the
    visitor.

    While each file system is sandboxed, meaning itrCOs isolated from other websites and from the device system itself, the JavaScript can measure
    the I/O interactions. Then, by running those interactions through a pretrained convolutional neural networkrCoa system that uses deep learning
    to analyze text, audio, and imagesrCothe attacker can deduce various apps
    and websites open on the device.

    rCLThe attacker continuously measures SSD contention by performing random reads from a large OPFS file,rCY the researchers explained. rCLSSD
    contention caused by user activity causes measurable latency differences
    for these read operations. By training a convolutional neural network
    (CNN) on these traces, the attacker can fingerprint user activity on the
    host system by classifying new traces using the trained model.rCY

    The technique has its limitations. First, the OPFS file must be
    extremely largerColikely a gigabyte or more. That requirement means that attacks at scale would inevitably be detected by many users.
    Additionally, the OPFS file must be stored on the same SSD the visitor
    is using. This isnrCOt usually a problem for tracking open websites, since the OPFS file is stored in the browserrCOs default location. In the event apps are using a separate SSD drive for apps, those apps couldnrCOt be detected by FROST.

    One of the best ways to prevent FROST attacks is to close tabs as soon
    as theyrCOre no longer needed. More savvy users can monitor the creation
    and size of OPFS files allocated by unknown websites. The researchers proposed ways for browser makers to shut down the side channel. One such method is to limit the maximum size of such files that are allowed.
    There are no indications FROST attacks have been performed in the wild.

    The researchers performed the full Frost attack on an M2 Mac. On Linux,
    they showed that the underlying primitive (measuring SSD access latency traces from JavaScript) works, but didnrCOt run the full attack.

    rCLHowever, since the performance of the primitive is similar between
    macOS and Linux, we expect similar performance for the full classification,rCY Hannes Weissteiner, one of the co-authors, wrote in an email. rCLIn principle, it would be possible to train a model on any
    system activity that reliably generates SSD accesses.rCY

    The researchers did not test Windows.

    The paper linked above provides many more technical details. The
    research is scheduled to be presented at the DIMVA conference in July.

    https://arstechnica.com/security/2026/05/websites-have-a-new-way-to-spy-o n-visitors-analyzing-their-ssd-activity/

    Apple products are so full of security holes they can be
    used to sift flour.
    --- Synchronet 3.22a-Linux NewsLink 1.2