A team of researchers has identified a novel technique that could allow websites to monitor a visitor’s activity by measuring subtle fluctuations in solid-state drive (SSD) performance, raising fresh concerns about browser privacy.

The attack, dubbed FROST (Fingerprinting Remotely using OPFS-based SSD Timing), exploits the Origin Private File System (OPFS), a browser feature that lets websites store data locally without requiring explicit user permission. According to the researchers, a malicious site can create large files and repeatedly access them to detect SSD contention caused by other activity on the same machine.

Browser attack: Unlike earlier SSD side-channel attacks that required native code running on a victim’s computer, FROST operates entirely from within a web browser. The researchers demonstrated that, after persuading a user to keep a malicious webpage open, an attacker could infer which websites were being visited and even identify applications being launched elsewhere on the system.

In tests on macOS, the technique achieved website-fingerprinting accuracy approaching 89% in a closed-world setting and application-fingerprinting accuracy of roughly 96%, suggesting that storage-access patterns can reveal surprisingly detailed information about user behaviour.

Broader challenge: The findings underscore a broader challenge facing browser developers. Modern web applications increasingly rely on powerful features that provide near-native capabilities, including local storage access. While these tools enable sophisticated web-based software, they can also create unexpected avenues for surveillance and side-channel attacks.

Vendor response: Researchers disclosed the issue to major browser vendors, including Google, Mozilla and Apple. Responses varied, with some vendors viewing fingerprinting as outside the scope of traditional security vulnerabilities, while others acknowledged the findings but have not yet introduced mitigations.

Potential defenses include stricter limits on OPFS storage usage, reduced access to high-resolution timers, or additional user permissions. Yet each remedy risks impairing legitimate web applications. As browsers continue to evolve into full-fledged computing platforms, the tension between functionality and privacy is likely to become increasingly difficult to ignore.