Researchers found a way to spy on your browsing by watching your SSD's activity

LOOKING AHEAD: A research team in Austria has identified a new way for websites to quietly observe what users are doing on their devices using nothing more than a browser and faint signals from the machine's own hardware. The technique does not rely on cookies, click-tracking scripts, or the fingerprinting methods that have become familiar over the years. Instead, it exploits the timing behavior of solid-state drives.

The method, known as FROST – short for "fingerprinting remotely using OPFS-based SSD timing" – focuses on how different processes compete for storage access. That competition leaves behind small but measurable timing differences. By monitoring those timing shifts, the research team was able to determine which other sites and applications were active on the device.

This approach falls into a category known as side-channel attacks, in which information is inferred indirectly from system behavior rather than accessed directly. In this case, the side channel is SSD latency. When multiple programs try to read or write data simultaneously, the resulting delays shift in ways that can be observed from within a browser session.

What makes FROST notable is that it runs entirely within the browser. The attack uses JavaScript to interact with the Origin Private File System, or OPFS, a feature designed to give websites isolated storage space. While OPFS is sandboxed at the software level, it still relies on shared hardware. That shared layer is where the information leakage occurs.