Websites Can Now Spy on Your Open Tabs and Apps Through Your Hard Drive

For decades, internet users have navigated a digital landscape fraught with covert tracking methods, from monitoring browsing histories and device fingerprints to real-time keystrokes and mouse movements. Even tech giants like Meta and Yandex have been implicated in these privacy-invasive practices. Now, a new and sophisticated technique has emerged, allowing websites to spy on visitors by measuring subtle interactions with their solid-state drives (SSDs). This method, dubbed FROST (fingerprinting remotely using OPFS-based SSD timing), represents a significant escalation in online surveillance capabilities. FROST exploits a "side channel," a form of data leak that arises from physical manifestations of computing processes, such as timing differences in task completion. Specifically, it leverages a "contention side channel" by measuring the timing of input-output (I/O) operations on a visitor's SSD. By meticulously analyzing these timings, researchers can infer which other websites a user has open in different tabs or even other browsers, and identify applications running on their device. Crucially, FROST requires no direct interaction from the visitor beyond simply opening the website hosting the attack. The technique operates entirely within the web browser, utilizing JavaScript to interact with the Origin Private File System (OPFS). OPFS is a dedicated storage space reserved for specific sites to execute code. While each OPFS is sandboxed and isolated from other websites and the device's main system, the embedded JavaScript can still measure I/O interactions within this space. These measurements are then fed into a pretrained convolutional neural network (CNN), a deep learning system, which analyzes the data to deduce the user's open applications and websites. This highlights how modern browsers, evolving into complex application platforms, inadvertently expand their attack surface. However, FROST does come with notable limitations. For the attack to be effective, the OPFS file must be exceptionally large, typically a gigabyte or more. This substantial storage requirement means that large-scale attacks would likely be detected by users or system monitoring tools. Furthermore, the OPFS file must reside on the same SSD that the visitor is actively using. While this is rarely an issue for tracking open websites, as OPFS files are stored in the browser's default location, it prevents the detection of applications running on a separate SSD. To mitigate the risk of FROST attacks, users are advised to close browser tabs promptly when they are no longer needed. More advanced users can monitor the creation and size of OPFS files generated by unfamiliar websites. Researchers have also proposed solutions for browser developers, such as implementing limits on the maximum size of OPFS files allowed. As of now, there are no indications that FROST attacks have been deployed in the wild. The research, which successfully demonstrated the full attack on an M2 Mac and the underlying primitive on Linux, is slated for presentation at the DIMVA conference in July.