Tag
A new technique called FROST exploits SSD timing side channels in browsers to spy on users' activities, identifying open websites and apps without requiring any interaction beyond visiting a malicious site.
This paper presents FROST, a technique for remotely fingerprinting users by exploiting timing differences in the OPFS-based SSD storage.
Cloudflare's Turnstile now requires WebGL fingerprinting for device verification, blocking WebKitGTK browsers and raising privacy concerns.
A developer discovered that 40% of browser agent sessions silently failed due to browser fingerprinting and automation detection, not LLM reasoning. An open-source tool called Leakish identified the issues.
A researcher reverse-engineered AppLovin's ad mediation cipher protocol, revealing that it uses a weak non-cryptographic PRNG and a static salt to encrypt device information, allowing deterministic re-identification of iPhones across apps even when users deny tracking permission.
An analysis reveals that Mullvad VPN deterministically assigns exit IPs based on the WireGuard key, not randomly, leading to a small number of IP combinations that can uniquely identify users across sessions, undermining anonymity.
This paper demonstrates that websites can identify which large language model powers a browsing agent by analyzing its behavioral patterns and timing data, achieving up to 96% F1 score across 14 frontier LLMs. It formalizes this attack surface and shows that random timing delays are insufficient to prevent identification.