New FROST technique allows websites to spy on user activity via SSD timing
Translated from Croatian, summarized and contextualized by DistantNews.
At a glance
News
Named sources
Context piece
- Researchers have developed a new method called FROST (Fingerprinting Remotely using OPFS-based SSD Timing) that allows websites to spy on users' browsing activity.
- FROST measures subtle interactions with a user's Solid-State Drive (SSD) to determine which websites are open in other tabs or browsers, and even which applications are running.
- The technique operates entirely within the browser using JavaScript and OPFS (Origin Private File System), requiring no user interaction beyond visiting the malicious website.
Websites can now spy on users in a novel and alarming way by measuring subtle interactions with their Solid-State Drive (SSD) disks, according to research from the Graz University of Technology. This new technique, dubbed FROST (Fingerprinting Remotely using OPFS-based SSD Timing), allows websites to monitor which other sites a visitor is browsing and even which applications are open on their device, regardless of the browser used.
By measuring the time of certain input-output operations on the visitor's SSD, researchers have managed to determine with great accuracy which websites were open in other tabs, even in other browsers, and which applications were running on the device.
This method exploits a "side-channel" attack, a form of information leakage stemming from a system's physical manifestations. Specifically, FROST uses a "contention side channel" attack, which measures the timing of interactions when multiple processes compete for the same resource โ in this case, the SSD. By measuring the time taken for certain input-output operations on the visitor's SSD, researchers can accurately determine open web pages, even across different tabs and browsers, and running applications.
What makes FROST particularly concerning is that it requires no user interaction beyond simply visiting the website hosting the attack. Unlike previous SSD-based attacks, FROST operates entirely within the browser. It utilizes JavaScript to interact with the Origin Private File System (OPFS), a storage space allocated to a specific website for executing code. Websites can create this space without user permission or notification.
What is most worrying is that FROST does not require any interaction from the visitor other than opening the page that hosts the attack.
Although each OPFS is isolated, malicious JavaScript can still measure disk interactions. The attacker continuously monitors the SSD load by performing random reads from a large OPFS file. When a user opens a new page or launches an application, it increases the SSD load, causing measurable differences in latency for the attacker's read operations. This timing difference allows the attacker to infer the user's activity.
Malicious JavaScript can still measure interactions with the disk.
DistantNews Editorial
Originally published by Veฤernji List in Croatian. Translated, summarized, and contextualized by our editorial team with added local perspective. Read our editorial standards.
More Stories
From Our Blog
What Gets Lost (and Found) When News Is Translated
The Critical Role of Diaspora Media in Global News
What Travellers Should Know About Countries with Restricted Press
A Digital Nomad's Guide to Following Local News
How the Same Story Looks Different in Different Countries
