Malicious Websites Exploit SSD Timing Signals to Monitor Visitor Activity

Researchers disclosed FROST, a novel browser-based side-channel that uses the Origin Private File System (OPFS) and high-resolution timers to measure SSD contention from JavaScript. A drive-by page can create large OPFS files and perform random reads to force disk I/O; competing I/O from other tabs or native apps produces measurable latency traces that a CNN can classify to identify visited websites or launched applications across browsers. The technique works cross-tab and cross-browser on the same SSD, achieves high classification accuracy in experiments, can support a high-speed covert channel, and raises significant privacy concerns; proposed mitigations include capping OPFS sizes, restricting timers, or requiring consent for large storage quotas.