Cybersecurity Newswire Startups Technology

New SSD Analysis Technique Lets Websites Spy on Visitors

May 28, 2026Last Updated: May 28, 2026

2 minutes read

Close-up of a solid-state drive (SSD) showing the SATA connector. — Solid State Drives are game changers when it comes to data storage. Unlike traditional hard drives, they have no moving parts, which means they're faster, quieter, and more durable. They’re perfect for those who value speed—whether it’s for booting up your system, launching applications, or transferring files. It's like giving your computer a turbo boost!

▼ Summary

– A new browser-based technique called FROST uses SSD timing measurements to spy on a visitor’s open apps and other websites.
– FROST exploits a contention side channel by measuring I/O operation timing as processes compete for SSD resources.
– The attack requires no visitor interaction beyond opening the site hosting the malicious code.
– Previous SSD side-channel attacks existed, but FROST is unique in running entirely within the browser using JavaScript.
– The technique leverages the OPFS (origin private file system), which websites can create automatically without user permission.

From tracking browsing histories to logging keystrokes and mouse movements in real time, websites have long relied on increasingly creative methods to spy on visitors without their knowledge. Even industry giants like Meta and Yandex have been caught engaging in these privacy-invasive practices. Now, a new technique gives sites another tool for covert surveillance: measuring how visitors interact with their solid-state drives (SSDs).

Dubbed FROST (fingerprinting remotely using OPFS-based SSD timing), this method enables websites to monitor which other sites a visitor is viewing and which applications are open on their device. The attack exploits a side channel,a form of data leakage caused by physical phenomena such as electromagnetic emissions, data caches, or the time required to complete a task. By analyzing these manifestations, attackers can decrypt encrypted traffic and infer sensitive information.

FROST specifically relies on a contention side channel, which measures how various processes compete for the same resource. By timing certain I/O (input-output) operations on a visitor’s SSD, researchers could identify the websites open in other tabs,even across different browsers,and the apps running on the device. The technique requires no action from the visitor beyond simply opening the site hosting the attack.

“Web browsers have evolved from simple document viewers into complex platforms capable of running sophisticated applications,” the paper’s authors explained. “Companies like Google, Microsoft, and Adobe have developed full-fledged office suites, photo- and video editors, or even integrated development environments (IDEs) that run entirely within the browser.” They added: “While these features enhance the capabilities of web applications and allow completely novel use cases, they also increase the browser’s attack surface, and some have already been shown to introduce new vulnerabilities.”

Unlike earlier SSD-based contention side-channel attacks, FROST operates entirely in the browser. It uses JavaScript to interact with the origin private file system (OPFS),a dedicated storage space reserved for a specific website’s code. Sites can create an OPFS without any visitor interaction, making the attack both stealthy and easy to deploy.

(Source: Ars Technica)