AI-POWERED NEWS

30+ sources. Zero spin.

Cross-referenced, unbiased news. Both sides of every story.

← Back to headlines
us tech Low Interest (4/10) June 1, 2026 at 12:02 PM

Austrian Researchers Prove Malicious Websites Can Identify Your Open Apps and Tabs by Reading Your SSD — No Click Required

Austrian Researchers Prove Malicious Websites Can Identify Your Open Apps and Tabs by Reading Your SSD — No Click Required
A team at Graz University of Technology built a browser-based attack that identifies what websites and apps you have open with up to 96% accuracy — just by measuring your SSD's timing through a standard browser API. No malware, no permissions, no interaction needed. Google, Apple, and Mozilla were all told about it. None of them fixed it.

The Attack Is Real and It Works

Researchers at Graz University of Technology in Austria have published a paper describing a surveillance technique called FROST — Fingerprinting Remotely using OPFS-based SSD Timing.

A malicious website can silently figure out which other websites you have open in other tabs, which apps are running on your machine, and it can do all of this across different browsers simultaneously. You don't click anything. You don't download anything. You just visit the page.

According to Tom's Hardware, the attack correctly identified visited websites with roughly 89% accuracy and running applications with roughly 96% accuracy on a test Mac.

How It Actually Works

Every modern computer uses a solid-state drive. When you visit websites, those sites interact with your SSD — reading and writing small amounts of data constantly.

FROST exploits something called the Origin Private File System (OPFS), a browser API that lets websites create and store files on your local disk without ever asking your permission. According to Tom's Hardware, both Chrome and Safari allow a website to claim up to 60% of total disk space through OPFS. On a 256GB drive, that's over 150GB.

The attack creates a massive file — Futurism reports it can be several gigabytes — that effectively hogs your SSD's attention. While that's happening, the malicious site quietly measures the timing of other read/write operations happening on the same drive.

Those timing measurements get fed into a convolutional neural network — a machine learning model trained to recognize the unique SSD access patterns that different apps and websites produce. According to Wired, the JavaScript runs entirely inside the browser sandbox. No kernel access. No special privileges. Nothing.

Hannes Weissteiner, the study's lead author, told Ars Technica: "In principle, it would be possible to train a model on any system activity that reliably generates SSD accesses."

Works Across Browsers. Works Across Operating Systems.

Because the attack operates at the hardware level — through the SSD itself — it doesn't matter which browser you're using. According to Futurism, an attacker could theoretically track your Firefox browsing based on a website you visited in Chrome.

The researchers tested on Mac and Linux. They noted Windows is NOT immune. The attack surface is essentially every modern personal computer.

Google, Apple, and Mozilla All Punted

The researchers did the responsible thing. They disclosed their findings to Google, Apple, and Mozilla before publishing.

Here's what happened, according to Tom's Hardware:

Google said it doesn't consider fingerprinting a security vulnerability.

Apple called the attack "currently out of scope."

Mozilla acknowledged the findings. Did NOT implement fixes.

Google controls Chrome, which runs on roughly 65% of global browser market share. Their response was that fingerprinting isn't a security issue. This is the same company that built an entire advertising empire on tracking user behavior.

What This Really Reveals

Wired covered the technical mechanics well. Futurism did a decent job explaining it in plain English.

The fuller picture: this is an advertising and surveillance industry problem as much as it is a hacking problem.

Google isn't rushing to patch this because of misaligned incentives. Fingerprinting — knowing exactly who you are, what you're doing, and what you're interested in without your consent — is the backbone of behavioral advertising. Google's entire revenue model depends on knowing things about you that you didn't explicitly share.

Apple, which loudly markets itself on privacy, quietly told researchers the attack was "out of scope." The same Apple that charges a premium for privacy-forward products. The same Apple that lectures developers about user data.

Can You Protect Yourself?

Partially. According to Futurism, closing tabs when you're done with them reduces the risk — there's less SSD activity for the attack to measure.

But the real fix requires browser vendors to either restrict OPFS permissions, add noise to SSD timing measurements, or both. That's a browser-level patch. Individual users can't do it themselves.

Right now, the three organizations that control the dominant browsers have all explicitly declined to act.

What Happens Next

A team of Austrian researchers built a tool that can spy on your entire digital activity — every tab, every app — just by getting you to load a webpage. They proved it works. They told Google, Apple, and Mozilla. All three took a pass.

Your SSD is now a surveillance device. The companies with the power to fix it have decided it's not their concern. And you never opted into any of it.

Sources

center-left Wired Websites Can Now Spy on You Through Your Hard Drive
unknown futurism Websites Are Spying on Your Solid State Drive
unknown tomshardware Researchers say they can spy on your browsing by measuring SSD activity through a browser API — claim FROST attack requires no permissions or user interaction to identify which apps and websites you're using | Tom's Hardware
unknown reddit r/cybersecurity on Reddit: Websites have a new way to spy on visitors: analyzing their SSD activity