Another Way Browsers Can Spy on You: Listening to Your Hard Drive
Researchers show a browser attack that can infer open sites and apps.
by Tudor Tarita · ZME ScienceA malicious website may not need a virus, a fake login page or a suspicious download to learn something about what you are doing on your computer.
Researchers have shown that a web page can watch for tiny slowdowns in a computer’s storage drive and use those delays to guess which websites someone visits or which apps they open. The technique is experimental for now, but it points to a growing problem: modern browsers are becoming so powerful that they can reveal things they were never meant to see.
Hidden in Plain Sight
The attack is called FROST. It relies on a browser storage feature known as the Origin Private File System, or OPFS, and on the way solid-state drives, or SSDs, respond when several programs use them at once.
That sounds technical, but the idea is simple enough.
When your computer’s storage drive is busy, some requests take a little longer than usual. A malicious web page can make repeated requests to its own private storage area and watch for those tiny delays. It can’t read your files or see your screen, but it may be able to infer that something else on the machine is happening at the same time.
This works because modern browsers no longer just display pages. They run office suites, video editors, coding tools, and games. To make those apps feel fast and native, browsers now give websites more ways to store and handle files on a device.
Researchers at Graz University of Technology and their collaborators showed that the method could identify visits to popular websites and the opening of common macOS apps. In one test involving the top 50 websites, the system reached an F1 score of 88.95%, a measure that combines how often the model was right with how often it missed the correct answer. In another test, it identified 10 built-in macOS apps, including Maps, Music, Safari and System Settings, with an F1 score of 95.83%.
“The attacker continuously measures SSD contention by performing random reads from a large OPFS file,” the researchers wrote in the paper. “SSD contention caused by user activity causes measurable latency differences for these read operations.”
×
Get smarter every day...
Stay ahead with ZME Science and subscribe.
Daily Newsletter
The science you need to know, every weekday.
Weekly Newsletter
A week in science, all in one place. Sends every Sunday.
No spam, ever. Unsubscribe anytime. Review our Privacy Policy.
Thank you! One more thing...
Please check your inbox and confirm your subscription.
The study doesn’t show that FROST is being used in the wild, nor does it mean that any website can instantly know everything happening on your computer. The attack has to be set up carefully, and it needs time to gather enough measurements. A person would have to open a malicious page and leave it running while using other sites or apps.
Still, the finding is troubling because it exposes a quieter problem with the modern web.
The Side Channel Problem
FROST shows that even when those resources are designed to be private, they can still leak information indirectly.
The researchers describe this as a side-channel attack. These attacks don’t break into a system head-on. Instead, they study the traces that normal activity leaves behind. They look for instances when a chip or SSD uses more power, or when they move a fraction of a second slower. With enough measurements, those faint clues can become revealing.
It’s not a new idea. Researchers have studied attacks like this for decades. But FROST moves this problem to a new battlefield: the browser.
The attack needs only JavaScript running on an attacker-controlled site. The victim has to open that site and leave it open while using the computer. Because it measures storage activity rather than a single tab’s memory, the researchers argue it can leak activity across the system.
Using machine learning, the attacker first trains a model on known drive-timing patterns. Later, the model classifies new patterns and guesses which site or app produced them.
What Can Be Done
For users, the best defense is simple: don’t leave unfamiliar tabs open. A FROST attack needs time to listen while you use other websites or apps.
People can also watch for sudden drops in free storage. The attack may need to create a large browser file, so unexplained storage use could be a warning sign.
But it’s the browser makers that can truly patch this problem.
The researchers suggested several fixes: cap the size of OPFS files, warn users when a site stores unusually large files, reduce access to precise timers, or ask users before allowing a site to use OPFS.
RelatedPosts
New AI Gives Robots Muscles Memory to Hit a 99% Success Rate on Delicate Manual Tasks
Unsupervised AI Inspired by Galaxy Mergers Learns Like Humans
AI spots depression by looking at your patterns of speech
Wi-Fi Routers Can Identify People with Stunning Precision (Even When Their Phones Are Off)
None of those fixes is painless. Many legitimate web apps need fast local storage to work well. Permission pop-ups can also backfire, because users often learn to click through them.
FROST points to a broader problem. As browsers become more like full operating systems, they gain new abilities—and new ways to leak information.
The study is scheduled to be presented at the DIMVA conference in July 2026.