Websites have been using various methods to track and analyze users’ data in various ways so they can easily target the customer with the needs they are looking for, or they can create a new need for the customers which they were not actually looking for, and the browser plays a major role in it.
Now, a new research paper from Graz University of Technology in Austria has uncovered a new side-channel attack called FROST (Fingerprinting Remotely using OPFS based SSD Timing) that has raised severe concerns in the cyber community and among privacy-conscious people. It will easily track which websites we are using and also which applications we are using on our system without any additional special permissions or installation — just visiting the malicious website is enough.
Let’s see a real-life scenario. Imagine your home, inside you are calmly working or resting on your sofa. Some outsider wants to know what’s happening inside but they cannot see inside; instead, they can hear sounds from your house. For example, a TV is running and a washing machine is running — they can assume what you are doing by listening to the sounds and analyzing them. Just like that outsider piecing together your routine from sounds alone, FROST pieces together your digital life from the faint timing signals your SSD makes — without ever seeing a single file.
Now, you might be wondering — what exactly is OPFS? OPFS stands for Origin Private File System. It is a legitimate browser feature built to help web apps store files quickly and efficiently on your device. Browsers like Chrome and Edge introduced it to make web applications faster and more capable. It was never meant to be a spying tool — but like many technologies, it is being turned into one.
Same here: once you visit the malicious site, it will create a large file on your computer’s SSD using a browser feature called OPFS (Origin Private File System). Then after that, it will continuously check what activities have been going on on our computer using SSD tiny delays.
Once it is recorded, it will look for delays and identify the pattern using AI, and it is now mostly 85 percent accurate. But it cannot see your stored passwords or files — it will only identify patterns. So with these patterns, they can easily assume which apps we are using, and this information can be very helpful for advertisers, trackers, or criminals.
And you might think — “I have nothing to hide, so why should I care?” But this is not about hiding anything. You are not doing anything wrong. This is about strangers building a detailed profile of your daily digital life — which apps you use, when you use them, and how — without ever asking for your permission. That information then gets passed to advertisers, trackers, or in worse cases, criminals who can use it against you.
And this has been shared with the companies like Google, Apple, and Firefox. Currently they are not seriously looking into this issue — maybe in the future they can come back with a new update to prevent this, or they could be silently working on a new fix.
