A newly disclosed side channel attack is raising uncomfortable questions about how much information modern browsers accidentally leak to websites.
Researchers have demonstrated that websites can infer a user's browsing activity by measuring subtle timing differences tied to SSD activity, turning ordinary storage behavior into a privacy vulnerability that works across tabs and even separate browsing sessions. The attack, referred to as FROST, takes advantage of the fact that browsers expose highly precise timing information through web APIs.
By carefully monitoring how long certain operations take, malicious websites can detect fluctuations caused by SSD reads and writes happening elsewhere on the system.
Those tiny delays become signals that can reveal what another browser tab is loading, what sites a person is visiting, and in some cases what kind of activity is occurring in the background.
What makes the research particularly unsettling is that it does not rely on traditional tracking methods such as cookies, fingerprinting scripts, or browser permissions.
Instead, the attack works indirectly by observing how shared hardware resources behave under load. SSDs process data requests with measurable latency changes, and modern browsers expose enough timing precision for attackers to reconstruct patterns from those changes.
According to the researchers in a published paper (PDF), the method uses JavaScript.
When embedded into a malicious webpage, the JavaScript file loads automatically as soon as an unsuspecting visitor opens the site, silently initiating the attack in the background.
The script first creates a massive OPFS file that can consume up to 60% of the available storage space in browsers like Chrome and Safari. It then continuously performs random 4 KB read operations on the file. Because the file is intentionally larger than the operating system's page cache, each request forces the SSD to perform real disk accesses instead of serving cached data.
As victims continue browsing other websites or using applications, their SSD activity begins competing with the attacker's constant read operations.
According to researcher Hannes Weissteiner, these storage conflicts generate measurable latency spikes that can act as behavioral fingerprints.
The attack literally analyzes SSDs function (electrical pulses across NAND flash, I/O throughput, etc), observes timing fluctuations, to then be able to identify what users are doing in other tabs or applications.
After the JavaScript measures the I/O interactions, the attackers can then run those interactions through a pretrained convolutional neural network (trained to analyze text, audio, and images) to deduce various apps and websites open on the device.
Websites often generate recognizable storage patterns while loading assets, caching content, or writing session data. If attackers profile those patterns beforehand, a malicious webpage could potentially infer whether a victim has opened a banking portal, messaging service, streaming platform, or even an AI application in another tab.
The discovery adds to a growing list of side channel vulnerabilities that blur the line between software privacy and hardware behavior.
Earlier attacks focused on CPU caches, speculative execution, GPU timing, or memory sharing.
This new method shifts attention toward storage devices, showing that SSD activity itself can become an unintended communication channel between otherwise isolated browser contexts.
Several technology publications noted that the attack is especially concerning because browsers were never designed with SSD timing leaks in mind. Existing web security models assume tabs are isolated from one another, but side channels bypass those assumptions by exploiting shared system resources underneath the browser layer.
Even without direct access to files or browsing history, attackers can still extract behavioral signals through timing analysis alone.
Browser vendors are already discussing potential mitigations. One approach involves reducing the precision of browser timing APIs so websites cannot accurately measure tiny latency changes.
Another possibility is introducing more randomness into how browsers schedule storage operations, making it harder to correlate SSD activity with specific browsing events. Researchers also suggested that future browsers may need stronger isolation techniques for hardware resource access.
Still, security experts warn that side channel attacks are notoriously difficult to eliminate completely because they exploit fundamental properties of shared computing environments.
Fixing one timing leak often leaves another measurable signal elsewhere in the system. The challenge becomes even more complicated as hardware grows faster and more interconnected.
For users, there is currently no evidence that the attack is being widely exploited in the wild, but the research serves as another reminder that online privacy extends far beyond visible tracking tools. Even when browsers block cookies, sandbox tabs, and restrict permissions, the hardware underneath may still quietly reveal clues about user activity.