Published: · Severity: WARNING · Category: Breaking

New ‘FROST’ Web Attack Lets Sites Spy on Apps and Activity With No Permissions

Severity: WARNING
Detected: 2026-06-09T10:17:41.102Z

Summary

Security researchers warn that a technique dubbed FROST allows any website you leave open in a tab to infer which apps you launch and which sites you visit—with no downloads, prompts, or permissions. For governments, banks, and trading desks that rely on browser isolation, this quietly breaks a key layer of operational security and raises fresh compliance and surveillance‑risk questions.

Details

A newly disclosed cyber technique known as the FROST attack could quietly upend how secure institutions treat web browsing, by allowing ordinary websites to track what users are doing across their computers in near real time. According to security reporting posted at 10:00 UTC on 9 June, FROST uses nothing more than JavaScript running in an open browser tab to time SSD operations and infer, with up to 95% accuracy, which sites and applications a user is opening—without any download, popup, or explicit permission.

The core claim is that FROST turns storage‑device timing into a high‑fidelity side channel: by continuously measuring how long SSD reads and writes take, malicious scripts can distinguish different usage patterns associated with specific applications and websites. Because this takes place entirely within standard browser capabilities, current permission models do not block it, and there is reportedly no complete fix yet available from browser or OS vendors. Source is a detailed technical disclosure carried by The Hacker News; we assess the underlying research as credible given past accurate reporting on side‑channel techniques.

For real people and institutions, the stakes go beyond abstract privacy. Any user who keeps a malicious tab open—whether from a phishing email, a compromised news site, or a poisoned ad—could be passively profiled. High‑value targets include bankers working on confidential deals, traders executing sensitive orders, government officials accessing classified portals from mixed‑use machines, journalists protecting sources, and corporate staff handling M&A or sanctions‑sensitive plans from laptops that also browse the open internet.

Financially, FROST threatens one of the quiet assumptions underpinning many trading and banking workflows: that keeping specific apps and sites in separate windows, or relying on browser permissions, is enough to prevent cross‑context leakage. A compromised tab could infer when a trading terminal or internal risk dashboard is opened, when secure messaging or VPN clients are launched, or when a user accesses particular competitor or regulator portals. While it does not by itself read message content, timing and correlation alone can reveal deal activity, trading rhythms, or sensitive research behavior.

From a security perspective, this enlarges the attack surface for both intelligence services and sophisticated criminal groups. State actors could use FROST‑style techniques for long‑term behavioral surveillance of diplomatic, military, or corporate targets, especially in countries where browser isolation—rather than full hardware separation—is widely used. Criminals could pair FROST telemetry with credential theft to better evade fraud detection by mimicking genuine user behavior, or to identify when users are most exposed for account takeover.

Market and sector impact is likely to cluster around cyber‑security and browser/OS ecosystems. Vendors of secure browsers, hardened endpoints, VDI solutions, and privacy tech could benefit as enterprises accelerate segmentation of browsing away from production environments. Conversely, major browser and OS platforms will face pressure to devise mitigations (e.g., throttling high‑precision timers, SSD‑timing obfuscation, or architectural changes), which could add overhead and provoke regulatory scrutiny about web‑tracking and security defaults.

In the next 24–48 hours, watch for: (1) technical advisories from major browser projects (Chrome, Edge, Firefox, Safari) acknowledging or disputing FROST feasibility and outlining interim mitigations; (2) guidance from national cyber agencies (CISA, ENISA, NCSC, etc.) to financial institutions and government users on browser‑use policies; (3) any exploitation reports in the wild, especially against financial, energy, or government networks; and (4) shifts in enterprise policy—such as emergency restrictions on non‑work browsing from trading and control‑system endpoints—that could temporarily disrupt operations but reduce exposure.

MARKET IMPACT ASSESSMENT: Near‑term focus on cyber‑security names and privacy‑tech providers; possible pressure on major browser vendors and OS makers to mitigate SSD‑timing vectors. Financial institutions, HFT desks, and funds may need rapid browser/endpoint policy changes, driving short‑term operational friction. Elevated cyber‑risk perception can support security software equities and marginally weigh on big‑tech advertising and data‑harvesting narratives if regulators react.

Sources

Related Coverage

WARNING

Reports: Israel Widens Ground Push in Lebanon, Pounds New Districts of Tyre

OSINT channels on 9 June between 10:06 and 11:02 UTC report the IDF opening a fourth ground advance axis in southern Lebanon and carrying out heavy strikes in new western neighborhoods of Tyre, including areas near the Christian quarter, while ordering the complete evacuation of Tyre port and its surroundings. This turns what was an intense cross‑border exchange into a broader, more urban and politically sensitive fight that threatens Lebanese stability, heightens Iran–Israel confrontation risk, and puts Eastern Mediterranean shipping and investors on notice.
WARNING

Reports: Israel Intensifies Tyre Strikes, Orders Full Port Evacuation as New Front Expands

Israeli forces have reportedly ordered a complete evacuation of Tyre’s port area and struck new western neighborhoods near the city’s Christian quarter, with at least 9 killed and 28 wounded this morning. The escalation, paired with mounting reports of multiple IDF ground thrusts in southern Lebanon, pushes the conflict deeper into Lebanon’s coastal belt, raising civilian risk, political pressure in Beirut, and investor anxiety over Eastern Mediterranean stability.
WARNING

Israel orders full evacuation of Tyre port area

Israel has issued a complete evacuation warning for Tyre port and surrounding neighborhoods as IDF strikes intensify and expand into previously untouched western districts. Escalation along Lebanon’s coast materially raises perceived risk to Eastern Mediterranean energy and shipping, and feeds into broader Iran–Israel conflict premium. Near-term effect is higher crude and product risk premia and wider Levant shipping insurance spreads.
MIDDLE EAST

Iran Conflict’s Oil Squeeze Pushes U.S. Airfares Higher and Aviation Into a Fuel Shock

Over 100 days into the Iran-related conflict, restrictions near the Strait of Hormuz have nearly doubled aviation fuel prices compared to last year, driving up U.S. airlines’ costs and passengers’ ticket prices. In April alone, carriers burned through billions more on fuel as routes shifted and risk premiums climbed. This article traces how a Gulf chokepoint has quietly turned into a pressure point for American travelers, airlines, and energy markets.
MIDDLE EAST

Israeli Strikes in Tyre Turn Lebanese Port City Into New Front Line

Israeli strikes in the Lebanese city of Tyre have killed at least nine people and triggered a full evacuation warning for the port and surrounding area, pushing a key coastal hub deeper into the crossfire. For residents, aid workers, and shippers, Tyre is no longer just near the fighting — it is part of the battlefield. This piece unpacks who is being hit, what the port warning signals, and how far the Israel–Hezbollah confrontation is edging toward a broader war.
MIDDLE EAST

Iraqi Move to Hand Kirkuk Security to Local Police Tests Fragile Arab–Kurd Balance

Baghdad is preparing to shift internal security in the disputed city of Kirkuk from joint military command to local police, while creating a permanent high-level committee with Erbil to manage oil and budget disputes. The twin moves aim to calm a long-volatile flashpoint between Arabs and Kurds, but they also risk exposing local weaknesses if trust and resources lag behind. This article unpacks what changes on the ground, who stands to gain or lose, and how the new coordination mechanism could reshape Iraq’s political map.