Websites now have a sneaky new way to track your digital life: by monitoring how you interact with your solid-state drive (SSD). A new technique called FROST (fingerprinting remotely using OPFS-based SSD timing) can reveal which other websites you're visiting and what apps are open on your device.
This isn't about cookies or basic browser fingerprinting. FROST exploits a "side channel," which is essentially a leak of information from how a device performs a task. By precisely measuring the timing of input-output operations on your SSD, researchers found they could infer a surprising amount of user activity, even across different browser tabs and applications.
The attack relies on JavaScript running in your browser and interacting with the Origin Private File System (OPFS). Websites can create an OPFS space, a dedicated storage area for a site's code, without you doing anything. While these spaces are sandboxed, FROST measures the tiny delays and fluctuations in SSD access caused by other processes and apps running on your system. It then uses a trained artificial intelligence model, a convolutional neural network (CNN), to decode these "contention traces" and identify open websites and apps.
"Web browsers have evolved from simple document viewers into complex platforms capable of running sophisticated applications," the research paper's authors noted. They explained that while these advanced features are useful, they also "increase the browser's attack surface, and some have already been shown to introduce new vulnerabilities."
The FROST technique does have a few limitations. It requires a very large OPFS file (at least a gigabyte) and needs to be stored on the same SSD as the targeted activity. The researchers demonstrated a successful attack on an M2 Mac and confirmed the core measurement technique works on Linux. While not tested on Windows, similar performance is expected. To protect yourself, closing unnecessary tabs can help, and tech-savvy users might monitor OPFS file allocations. Browser developers are also exploring ways to patch this new vulnerability.
