Your browsing habits may not be as private as you think, even with all the right precautions in place. According to Ars Technica, security researchers have uncovered a new attack technique that lets a malicious website figure out which other sites and apps you have open. You do not need to click anything, download anything, or grant any permission; just visiting the page is enough.
How can websites spy on your browsing activity through hard drive?
The technique is called FROST, short for Fingerprinting Remotely using OPFS-based SSD Timing. Every website and app you use generates its own unique pattern of activity on your SSD, the storage drive inside your computer.
FROST exploits a browser feature called the Origin Private File System, or OPFS, which quietly lets websites store files on your local drive without asking permission first.
The attacker’s page creates a large file on your drive and then listens to the tiny speed fluctuations that happen when your SSD is busy handling other tasks. Those fluctuations are fed into an AI model that has been trained to recognize the telltale patterns of specific websites and apps.
According to the research paper, the technique correctly identified which websites a person had visited with about 89% accuracy, and which apps were running with about 96% accuracy, when tested on an Apple M2 Mac.
The attack also works across different browsers simultaneously, meaning visiting the attacker’s page in Chrome can still expose what you are doing in Safari.
The browsers won’t fix this, but you can protect yourself
FROST has not been spotted in the wild yet, which is reassuring. It also only works while the offending tab is open, so closing it immediately stops the attack.
Google, Apple, and Mozilla were all informed, but none have committed to a fix. Your best defense right now is keeping an eye on your available disk space. A sudden, unexplained drop in storage is a red flag worth investigating immediately.
Browser-level fixes have been proposed, including capping how much disk space OPFS can claim, but given the browser makers’ responses, those changes are not coming any time soon.