Austrian security researchers have shown that a website can infer what you are doing on a computer by watching how the SSD responds to timing requests. Their method, called FROST, needs no malware, no shady attachment, and no user mistake beyond opening a page.
That sounds absurd until you remember how much modern tracking has moved beyond cookies. Browsers already leak a lot; FROST pushes the idea one layer deeper, into storage hardware most people never think about. If that sounds like a nightmare for privacy, that is because it is one.
How FROST uses SSD timing
The technique, short for ”Fingerprinting Remotely using OPFS-based SSD Timing,” abuses browser storage features to create a file of several gigabytes. That heavy write activity keeps the drive busy, and the website then measures tiny delays in how fast the SSD answers follow-up requests.
Those delays are not random. They shift depending on what else is being written, read, or opened on the machine, and a machine-learning model can turn that noise into a fingerprint of the user’s activity. In the researchers’ tests, it identified visited websites with 88.95% accuracy and applications with 95.83% accuracy.
Why the SSD timing attack is harder to spot
The unsettling part is that this does not depend on a particular browser. A page in Google Chrome could, in theory, learn something about activity happening in Mozilla Firefox or another app, because the signal comes from the SSD rather than the browser itself.
The experiments were run on Linux and macOS, but the researchers say the approach is not tied to those systems. That leaves Windows squarely in the ”probably not safe by design” category, which is not where anyone wants to be with a storage drive.
What users and browser makers can do now
The team has not offered a clean fix. Their view is that closing the hole will require changes in browsers and in the web technologies that allow sites to poke at storage in this way. Until then, the practical advice is painfully low-tech: close tabs as soon as you are done with them.
That will not remove the vulnerability, but it does shorten the window for collection. More broadly, FROST is another reminder that the web keeps finding new places to hide surveillance, and hardware that used to look like a dull slab of flash memory can suddenly become part of the attack surface.