A Website Can See What You’re Doing on Your Computer — And You’d Never Know
Websites Can Now Spy on Your SSD to See What You’re Doing Online
A new technique called FROST lets any website peek at which other sites you have open — and even which apps are running on your device — just by timing your hard drive.
Websites have been finding sneaky ways to track you for decades — from logging where you click, to building digital “fingerprints” of your device, to secretly recording your typing. Now, researchers have uncovered a brand new spying trick, and this one is surprisingly clever.
It’s called FROST — short for Fingerprinting Remotely using OPFS-based SSD Timing — and it works by silently watching how busy your solid-state drive (SSD) is. By measuring tiny timing differences in how fast data is read from your SSD, a website can figure out what other websites you have open in your browser, and even which apps are running on your computer.
The scariest part? You don’t have to click anything. Just opening the site is enough.
So how does it actually work?
Think of your SSD like a busy road. When lots of programs or tabs are using it at the same time, traffic slows down — everything has to wait its turn. This is called contention, and the slight slowdowns it causes are measurable.
“By measuring the timing of certain input-output operations, researchers were able to determine the websites open in other tabs — even on other browsers — and the apps open on the visitor’s device.”
FROST works by creating a large hidden file on your device (up to a gigabyte or more) using a browser storage feature called OPFS — the Origin Private File System. This is a completely normal, allowed browser feature that websites use to store data locally. There’s nothing suspicious about it, which is what makes it tricky.
Once that file is created, the website starts rapidly reading from it and carefully measuring how long each read takes. When other apps or browser tabs are also using the SSD in the background, those reads slow down by tiny — but detectable — amounts.
Those timing patterns are then fed into an AI model (a convolutional neural network, the same type used in image recognition) which has been trained to recognize what different activity patterns look like. Netflix buffering? Gmail loading emails? Spotify playing music? Each one leaves a slightly different “fingerprint” in the SSD timing data.
What can it actually reveal?
In tests, FROST was able to identify specific websites open in other tabs — even in a completely different browser — and detect which desktop apps were running at the time. The researchers tested the full attack on a Mac with an M2 chip, and confirmed the core technique also works on Linux.
It has some real-world limits. The huge file it needs to create (likely 1 GB+) would be noticed by careful users monitoring their storage. Also, if your apps are installed on a separate SSD from your browser, FROST can’t detect them. And so far, there’s no evidence it’s been used maliciously in the wild.
How do you protect yourself?
- Close browser tabs as soon as you’re done with them — this reduces the “SSD fingerprint” a site can read.
- Check what large files websites are storing on your device. Advanced users can monitor OPFS file creation in browser developer tools.
- Keep your browser updated — browser makers are being alerted, and limiting the maximum size of OPFS files is one potential fix.
What happens next?
The researchers behind FROST are presenting their findings at the DIMVA security conference in July 2026. They’ve also proposed solutions that browser makers like Google (Chrome), Mozilla (Firefox), and Apple (Safari) could implement — primarily by limiting how large these hidden files are allowed to grow, which would make the timing measurements much less accurate.
It’s a good reminder that modern browsers have become incredibly powerful platforms — almost mini operating systems — and that power sometimes comes with unexpected privacy trade-offs. The same storage features that let Google Docs or Figma work offline in your browser can also, in the wrong hands, be turned into a spying tool.
For now, the best defense is a simple habit: close the tabs you’re not using.
