Malicious Sites Track Visitors via SSD Timing Analysis

Malicious websites can now track visitors by exploiting minute fluctuations in Solid State Drive (SSD) access times. This sophisticated technique transforms routine browser activity into a profound privacy vulnerability.

Researchers showed that a JavaScript attack can use the browser’s Origin Private File System (OPFS) to generate disk activity. They read timing signals without requiring native code or special privileges.

The attack uses a side channel, which means it does not steal data directly. Instead, it watches how long SSD reads take while the victim is using the computer, then looks for patterns that match website visits or app launches.

Malicious Sites Track SSD Timing

In the attack, a malicious webpage continuously measures storage latency while the victim browses normally or uses other apps.

The technique is particularly concerning because it operates entirely within the browser sandbox. The researchers found that OPFS can be used to create large files on disk, which are large enough to force real SSD reads rather than memory cache reads.

That allows the attacker to collect timing traces with enough detail to classify user activity. The paper describes a browser-based attack called FROST, short for Fingerprinting Remotely using OPFS-based SSD Timing.

On macOS, the researchers reported that the attack could predict accessed websites with an F1 score of 88.95 in a closed-world test and 86.95 in an open-world test. They also achieved an F1 score of 95.83 for application fingerprinting.

The same work also built a covert channel, which means a hidden path for data transfer, between a native app and a malicious website.

On Linux, the channel reached a true capacity of 661.63 bits, while on macOS it reached 891.77 bits in one setup. That shows the timing leak is not just theoretical; it can carry usable information. This attack is dangerous because it does not depend on a browser crash, malware installation, or a classic exploit chain.

A user only needs to visit an attacker-controlled site. In the OPFS scenario, no extra permission prompt is required. That makes it more practical than older SSD contention attacks, which required native code or direct user interaction.

The impact goes beyond website tracking. The research also showed that application usage can be fingerprinted, meaning attackers may infer whether someone opened tools such as Safari, System Settings, or other native apps.

For privacy, that is a serious problem because it reveals behavior the user would not expect a web page to observe.

According to the researcher, limiting large OPFS storage usage, reducing access to high-resolution timers, and making browser file-system access more permission-based.

They also note that browser vendors could alert users when many origins rapidly consume large amounts of OPFS storage. In practice, stronger browser restrictions and less precise timing sources would make this attack style harder to run.

At the moment, the key lesson is simple: even ordinary web features can create powerful side channels. SSD timing may sound obscure, but this research shows it can be used to quietly and remotely track people through the browser.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.