New website tracking method monitors visitors' SSD activity
Original: Websites have a new way to spy on visitors: Analyzing their SSD activity
Why This Matters
Reveals new browser-based tracking vector that bypasses traditional privacy protections
Security researchers discovered FROST technique allowing websites to spy on visitors by measuring SSD timing patterns using JavaScript and OPFS. Method can detect other open websites and apps without user interaction.
Researchers unveiled FROST (fingerprinting remotely using OPFS-based SSD timing), a new tracking technique that monitors visitors' solid-state drive activity to determine what websites and applications they have open. The method exploits a contention side channel by measuring I/O operation timing differences on SSDs. Using JavaScript that interacts with OPFS (origin private file system), attackers can create isolated storage spaces and measure SSD interactions. A pretrained convolutional neural network then analyzes the timing patterns to deduce open apps and websites across different browsers and tabs. The technique requires no user interaction beyond visiting the attacking website. Unlike previous SSD-based attacks, FROST runs entirely within web browsers, representing a new privacy threat as browsers have evolved into complex application platforms.