A new web tracking technique has been disclosed that can analyse SSD activity inside a browser to infer other sites a user is viewing and even apps that are running.

On May 27, U.S. tech outlet Ars Technica reported that researchers presented a new side-channel attack technique called Frost. It has drawn attention in the security industry because it can work simply by a user opening a website that contains the attack code.

Frost is a contention-based attack that uses changes in SSD input/output latency. The researchers ran JavaScript that repeatedly accessed large files using the browser’s internal storage, the Origin Private File System (OPFS), and then measured tiny differences in latency during SSD access. They explained that by analysing the data with a pre-trained convolutional neural network model, they can infer which websites a user has open and even which programs are running in other browsers or applications.

The researchers focused on how browsers have evolved beyond simple web page viewers into complex application execution environments. Companies such as Google, Microsoft and Adobe provide browser-based office tools, editing programs and integrated development environments. The researchers pointed out that this expansion in features broadens the use of web applications while also greatly increasing the browser attack surface.

A feature of the technique is that it can be carried out using only functions inside the browser, without taking operating system privileges or installing separate malware. OPFS is storage that is separated by site and, in principle, isolated from other sites or the system, but JavaScript can measure I/O interaction itself with this storage. The researchers explained that if an attacker repeatedly performs random read operations on a large OPFS file, SSD contention appears as latency differences, and an AI model can analyse them to identify patterns of system activity.

There are several constraints on large-scale real-world abuse. First, the OPFS file size must be very large. The researchers said a file of at least 1 GB is likely to be needed for attack efficiency, which means users may notice an increase in storage. The OPFS file must also be on the same storage device as the user’s primary SSD, and apps that use a separate SSD are difficult to detect.

As a countermeasure, the researchers suggested closing unused tabs immediately. Advanced users can also directly check the size and creation of OPFS files generated by the browser. The researchers proposed that limiting the maximum size of OPFS files at the browser vendor level could also be a mitigation.

The experiment implemented the full attack scenario in an Apple M2-based Mac environment. The researchers confirmed that measuring SSD access latency itself is also possible on Linux, and said that, in principle, any task can be used as a training target if system activity has stable SSD access patterns. Windows 11 has not yet been tested.

So far, no evidence has been confirmed that the Frost technique has been abused in real-world environments. The findings are scheduled to be presented in July at the DIMVA security conference. The industry is pointing to the need for vigilance over new web tracking techniques that exploit hardware-level signals such as storage devices and I/O as browsers evolve into high-performance application platforms.