Ars Technica: Websites have a new way to spy on visitors: analyzing their SSD activity

The_Learner · May 27, 2026, 10:19pm

While each file system is sandboxed, meaning it’s isolated from other websites and from the device system itself, the JavaScript can measure the I/O interactions. Then, by running those interactions through a pretrained convolutional neural network—a system that uses deep learning to analyze text, audio, and images—the attacker can deduce various apps and websites open on the device

However:

One of the best ways to prevent FROST attacks is to close tabs as soon as they’re no longer needed. More savvy users can monitor the creation and size of OPFS files allocated by unknown websites. The researchers proposed ways for browser makers to shut down the side channel. One such method is to limit the maximum size such files that are allowed. There are no indications FROST attacks have been performed in the wild.

anonymous609 · May 28, 2026, 1:11am

As someone who does a lot of research in the browser, this is a no go. I will always have like 25+ tabs that persist for around a week or two whenever I’m working on something.

privacy.slouchy · May 28, 2026, 1:24am

Laughs manically from inside a disposable VM

From the sound of this report, scripts would be foiled by hypervisor partitions, and unable to read SSD activity from space allocated to other VMs

polyester_apricot650 · May 28, 2026, 1:34am

I agree. It would have been impossible to write any research papers without having multiple tabs open.

SwampTrainer · May 28, 2026, 5:06am

The technique has its limitations. First, the OPFS file must be extremely large—likely a gigabyte or more.

Step one: crash the browser for 90% of people.

While I do enjoy the validation of blocking JS by default and isolating my browsing the way I do, this also seems like a research-level issue and not a threat vector…for now.

From the original paper:

Ultimately, the most effective mitigation would be to enable OPFS only
after explicit user permission, which would significantly harm the usability of
OPFS for legitimate applications and cause disruptions to user workflows.

Also seems like something that should be one day covered in browser security settings, right?

…right?

Topic		Replies	Views
Arcanum: Detecting and Evaluating the Privacy Risks of Browser Extensions on Web Pages and Web Content General	1	242	June 12, 2025
Chrome rolls out hardware-bound session protection to combat infostealer malware News article	9	360	April 9, 2026
Google Chrome Adding Protection Against Cookie-Stealing Malware News	1	208	April 14, 2026
What Is Browser Fingerprinting? (And How to Stop It!) Videos	21	4526	September 27, 2025
New Security WebApp standard: Device Bound Session Credentials General	8	874	April 1, 2025

Ars Technica: Websites have a new way to spy on visitors: analyzing their SSD activity

Related topics