Your Browser Is Watching Your SSD — And You Can’t Stop It | Stack of Truths

Your Browser Is Watching Your SSD — And You Can’t Stop It

June 11, 2026 — 6 min read — Pedro Jose

A malicious website can now work out which sites you visit and which apps you open on your own computer. No malware. No hack. Just JavaScript and the timing of your SSD.

You open the page. Leave the tab sitting there. It watches your drive in the background. When you switch to another site or launch an app, the timing shifts — and a neural network identifies what you just did with up to 95% accuracy.

⚡ THE HARD TRUTH

The attack, called FROST, runs inside your browser sandbox. No permission prompt. No CVE. And browser vendors — Google, Apple, Mozilla — do not treat it as a security vulnerability. Your only defense is to close tabs you’re not using. That’s not a defense. That’s a hope.

How It Works — Without the Fluff

OPFS (Origin Private File System) — A browser storage feature added in 2023. No permission prompt. Any website can use it.
Create a huge file — Larger than your RAM. OPFS can use up to 60% of your disk space.
Read random chunks in a loop — Time each read with performance.now() (timers are blunt, but cross‑origin isolation sharpens them).
Wait for you to open another site or app — That activity competes with the attacker’s reads. Timing shifts.
Neural network identifies the pattern — With terrifying accuracy.

# Simplified attack flow
const opfsRoot = await navigator.storage.getDirectory();
const hugeFile = await opfsRoot.getFileHandle(‘payload.bin’, {create: true});
// Write a file larger than RAM
const writer = await hugeFile.createWritable();
await writer.write(new Uint8Array(100 * 1024 * 1024 * 1024)); // 100 GB
await writer.close();

// Read random chunks and time them
setInterval(() => {
    const start = performance.now();
    await hugeFile.read(4 * 1024, Math.random() * hugeFile.size);
    const duration = performance.now() – start;
    // Send timing to attacker’s server
}, 10);

            📌 THE NUMBERS THAT MATTER

            ✅ Top 50 websites (closed world): 88.95% F1 score

            ✅ 300+ websites (open world): 86.95%

            ✅ Native macOS apps (Mail, Calendar, Notes, etc.): 95.83%

            ✅ Covert channel speed: 662–719 bit/s (enough to exfiltrate data)

            That’s not a proof of concept. That’s a working surveillance tool.

Why This Is Different

Previous SSD attacks: Required native code, local access, low‑level interfaces, and permission prompts.
FROST: Runs inside browser sandbox. Remote. Uses standard browser API. Zero click. No permission prompt.

🧠 THE SCARY PART

You visit a website. You leave the tab open. It watches your drive. It learns what other sites you visit and what apps you open.

No notification. No consent. No CVE. And the browser vendors say it’s “not a security vulnerability.”

What the Browser Vendors Said

Google (Chromium): “Not a security vulnerability.” Fingerprinting is not treated as a bug. Chromium does not consider timing side channels of this nature a priority to fix.
Apple: “Out of scope.” Maybe a mitigation later. Maybe not.
Mozilla: Acknowledged the issue. No fix has been shipped.

The researchers’ real concern is structural: browsers keep handing web apps near‑native access to the hardware, and near‑native access brings near‑native leakage.

What You Can Do (Today)

✅ Close the tab. The measurement only runs while the attacker’s page is open. This stops that specific run.
🔍 Check browser storage for huge files. Browsers do not make OPFS usage easy to see. Good luck.
🐧 On Linux, use profile-sync-daemon. Keeps your browser profile in RAM. OPFS writes never hit the SSD, which blocks the zero‑click version.
❌ Wait for browser patches. Vendors don’t treat it as a security issue. Don’t hold your breath.

Not much. That’s the problem.

            🔐 WHAT THIS MEANS FOR PROFESSIONAL SERVICES

            Law firms. Accountants. Healthcare providers. Consultants. Your clients trust you with their secrets.

            If a website can tell what apps you’re opening — including your email, your document management system, your client portal — that’s not a privacy leak. That’s a compliance nightmare.

            The question isn’t whether FROST is being used in the wild. The question is whether your browser vendor thinks it’s a problem worth fixing. They don’t.

The Real Story — Not the Attack. The Attitude.

FROST is not a vulnerability. It’s a feature abuse. OPFS was designed for legitimate web apps. The timing side channel is a consequence of giving web apps near‑native hardware access.

The browser vendors knew this could happen. They built it anyway. Now they’re saying “not a security vulnerability” because fixing it would require trade‑offs in speed or usability.

Your privacy is not their priority. Your performance is.

⚠️ THE BOTTOM LINE

A website can now tell what apps you open on your own computer. No hack. No malware. Just a browser feature designed for “convenience.”

Browser vendors say it’s not a security issue. There is no fix. There may never be a fix.

Your only defense is to close tabs you’re not using. That’s not a defense. That’s a hope.

And if you run a business where client confidentiality matters, this is a ticking clock.

🦞🔐

Your browser is leaking your behavior. Let me show you what else is watching.

Full infrastructure pentest: €3,000. Privacy audit: included. Security retainer: €1,500/month.

📩 DM @StackOfTruths on X

Free 15-min consultation. No hard sell. Just honest answers about your real exposure.

Post on X

🦞 Stacking truths daily 🤡