← Back to Home
May 28, 2026

Your SSD Betrays You and AI Vendors Share Everything

Websites Can Now Spy on You Through Your SSD Activity
SECURITY

Websites Can Now Spy on You Through Your SSD Activity

A website you visited this morning may already know what other tabs you had open, which apps were running on your machine, and what you were doing — without you clicking a single thing or granting a single permission.

Researchers have demonstrated a new browser-based attack called FROST — short for Fingerprinting Remotely using OPFS-based SSD Timing — that lets a malicious website silently profile a visitor by measuring how their solid-state drive handles competing demands from different processes. It requires zero interaction beyond the victim loading the page. That's it. You show up, and the spying begins.

Here's the technical backbone: modern SSDs don't process one task at a time in a vacuum. Multiple apps and browser tabs constantly read and write data, and they occasionally bump into each other waiting for access. This creates tiny, measurable delays — latency variations so small you'd never notice them as a user, but detectable enough for a well-trained algorithm to interpret. FROST exploits exactly this phenomenon, which researchers classify as a contention side-channel attack.

The attack runs entirely in JavaScript and leverages something called the Origin Private File System, or OPFS. This is a legitimate browser feature that lets websites carve out a small reserved storage space to run complex tasks locally — think Google Docs auto-saving your work or a browser-based video editor processing a file. Websites can create an OPFS instance without asking the user for permission, which is precisely what makes this so uncomfortable.

While each site's OPFS is sandboxed and technically isolated, the JavaScript running inside it can still measure how long SSD read operations take. Those timing variations encode a surprising amount of information. By feeding that data through a convolutional neural network — the same class of deep learning models used for image and audio recognition — the researchers were able to identify which websites a victim had open in other tabs and which desktop applications were running in the background.

The broader context here matters. Browsers have quietly become operating systems. Google Docs, Figma, Adobe Express, and full IDEs now run entirely inside a browser tab. That expanded capability is genuinely useful, but it also dramatically widens the surface area for attacks. Every new API that makes browsers more powerful is also a potential new lever for someone trying to learn things about you that you never agreed to share.

What makes FROST particularly unsettling isn't just the cleverness of the technique — it's how passive it is. Previous side-channel attacks on storage hardware typically required some level of local access or a native application. This one lives entirely in a browser tab and leaves no obvious trace.

There's no immediate patch or browser setting that neutralizes this today. Researchers disclosed their findings responsibly, and browser vendors will likely respond, but the fix isn't trivial. Reducing timing precision in storage APIs could break legitimate performance-sensitive applications. The web's growing ambition keeps writing checks that its security model struggles to cash.
Source: Ars Technica

Enjoyed this?

Get stories like this delivered every Tuesday — free.