Bottom line: JavaScript can reveal which applications and websites a user opens via SSD-timing side channels without requiring system privileges or browser extensions.
Researchers at Graz University of Technology have documented a new attack vector called FROST, which enables malicious websites to identify visited pages and open applications through JavaScript-based SSD timing measurements — without code execution, browser extensions, or user permissions.
The FROST attack exploits memory access patterns on solid-state drives (SSDs) as a side channel. A JavaScript routine can monitor disk utilization in the background and infer which local files the user is accessing — such as by opening browsers, documents, or applications. The mere presence of a manipulated webpage in the browser is sufficient to initiate this monitoring.
The attack model requires no native system calls, no browser extensions, and triggers no permission dialogs. Users are unaware that their system activity is being logged. This distinguishes FROST from classical cross-site tracking methods and makes it significantly harder to detect.
For CISOs, this technique represents a new vector for data exfiltration and user profiling. Typical protective measures such as cookie blocking, tracking prevention, or DNS filtering are ineffective, since the attack operates at the hardware interface level. Potential targets include users of sensitive applications (banking apps, messengers, VPN software, cloud storage) whose file access could be mapped in this way.
Source: thehackernews.com · Published 9 June 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.