Dan Goodin, reporting for Ars Technica:
The technique, laid out in a research paper, exploits a
side channel, a form of leak resulting from physical
manifestations such as electromagnetic emanations, data caches, or
the time required to complete a task. By measuring the
manifestations, attackers can decrypt encrypted traffic and infer
other confidential data. […]“Web browsers have evolved from simple document viewers into
complex platforms capable of running sophisticated applications,”
the paper authors wrote. “Companies like Google, Microsoft, and
Adobe have developed full-fledged office suites, photo- and video
editors, or even integrated development environments (IDEs) that
run entirely within the browser.” The authors went on to note:
“While these features enhance the capabilities of web applications
and allow completely novel use cases, they also increase the
browser’s attack surface, and some have already been shown to
introduce new vulnerabilities.”Unlike previous contention side-channel attacks on SSDs, FROST
runs exclusively in the browser. It uses JavaScript that interacts
with the OPFS (origin private file system), an allocated
storage space that’s reserved for a specific site to run code
needed to complete a given task. Websites can create one with no
interaction required by the visitor.
JavaScript, as I have suggested many times, was a terrible mistake for the web. It’s absurd that a web page can access local storage space.
