CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 29, 2026

Websites can spy on user activity by analyzing SSD behavior

Help Net Security Archived May 29, 2026 ✓ Full text saved

Websites have spent years collecting information about visitors through browser fingerprinting, tracking scripts, and other techniques designed to identify devices and monitor behavior. Researchers have demonstrated another method that relies on something most users would never expect a website to observe: activity on their SSD (Solid-State Drive), the storage device where applications and files are stored. Dubbed FROST, short for Fingerprinting Remotely using OPFS-based SSD Timing, the techniqu

Full text archived locally
✦ AI Summary · Claude Sonnet


    Sinisa Markovic, Senior Staff Writer, Help Net Security May 29, 2026 Share Websites can spy on user activity by analyzing SSD behavior Websites have spent years collecting information about visitors through browser fingerprinting, tracking scripts, and other techniques designed to identify devices and monitor behavior. Researchers have demonstrated another method that relies on something most users would never expect a website to observe: activity on their SSD (Solid-State Drive), the storage device where applications and files are stored. Dubbed FROST, short for Fingerprinting Remotely using OPFS-based SSD Timing, the technique allows a website to infer information about websites and applications active on a user’s system. A browser feature becomes an attack vector FROST is a side-channel attack, a category of attacks that extracts information from indirect signals generated by a system. In this case, the signal comes from SSD contention, which occurs when multiple programs compete for access to the same storage device. High-level overview of the FROST attack (Source: Research paper) By measuring the timing differences created by that competition, a website can collect information about activity occurring elsewhere on a system. Previous SSD-based side-channel attacks required software running directly on a device. FROST moves the attack into the browser. The technique relies on the Origin Private File System (OPFS), a browser feature that gives websites their own sandboxed storage area for saving data locally. According to the authors, the work represents the first demonstration of an attack that exploits OPFS to leak information from a victim’s system through JavaScript running in a browser. A user only needs to visit a webpage hosting the attack code. No malware, browser extensions, elevated privileges, or software installation are required. The authors also demonstrated that the same mechanism can be used to establish a communication channel through SSD contention. The researchers say the findings reflect a broader shift in how web browsers are used. “Web browsers have evolved from simple document viewers into complex platforms capable of running sophisticated applications. Companies like Google, Microsoft, and Adobe have developed full-fledged office suites, photo- and video editors, or even integrated development environments (IDEs) that run entirely within the browser,” the paper authors wrote. “Moving applications to the web allows them to be platform independent, accessible and always up-to-date. However, this shift also introduces new security and privacy challenges,” they added. Limitations and mitigations The technique comes with several practical limitations. Long-running measurements require a large OPFS file, which can consume a noticeable amount of storage space. Users who monitor available disk space may be able to spot unusual storage usage associated with the attack. FROST also depends on the targeted activity occurring on the same SSD being monitored. Website fingerprinting is less affected by this requirement because OPFS files are stored in the browser’s default location. Application fingerprinting may be less reliable on systems that use separate drives for different workloads. The attack does not provide direct access to files stored on a device and does not bypass browser sandboxing protections. Several mitigations are discussed in the paper. These include limiting the amount of storage available through OPFS, reducing the precision of timing information available to websites, and alerting users when websites store unusually large amounts of data. The findings were responsibly disclosed to Google, Mozilla, and Apple before publication. The Chromium team stated that it does not consider fingerprinting attacks to be security vulnerabilities. Apple considered the attack out of scope, although it indicated that mitigations may be implemented in the future. Mozilla acknowledged the findings but had not implemented mitigations at the time of publication. More about attack browser privacy research surveillance Share
    💬 Team Notes
    Article Info
    Source
    Help Net Security
    Category
    ◇ Industry News & Leadership
    Published
    May 29, 2026
    Archived
    May 29, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗