this post was submitted on 28 May 2026
27 points (96.6% liked)

Technology

43004 readers
45 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 4 years ago
MODERATORS
remington@beehaw.org
alyaza@beehaw.org
TheRtRevKaiser@beehaw.org
gyrfalcon@beehaw.org
rs5th@beehaw.org
coldredlight@beehaw.org
SemioticStandard@beehaw.org
27
Websites have a new way to spy on visitors: Analyzing their SSD activity (arstechnica.com)
submitted 2 hours ago by Powderhorn@beehaw.org to c/technology@beehaw.org
8 comments fedilink hide all child comments
 

Over the decades, there has been no shortage of sites using clever techniques to covertly track visitors’ browsing histories, device fingerprints, and keystrokes and mouse movements in real time. Even Meta and Yandex were recently caught joining in the privacy-invasive free-for-all.

Now sites have a new way to spy on their visitors: measuring subtle interactions with their solid-state drives. The technique, named FROST (fingerprinting remotely using OPFS-based SSD timing), allows sites to monitor other sites a visitor is viewing and what apps are open on their devices.

The technique, laid out in a research paper, exploits a side channel, a form of leak resulting from physical manifestations such as electromagnetic emanations, data caches, or the time required to complete a task. By measuring the manifestations, attackers can decrypt encrypted traffic and infer other confidential data.

The attack that FROST uses is known as a contention side channel, which measures the interaction of various processes all using (or competing for) a given resource. By measuring the timing of certain I/O (input-output) operations of the SSD a visitor is using, the researchers were able to determine the websites open in other tabs—even on other browsers—and the apps that were open on the visitor’s device. FROST requires no interaction from the visitor other than opening the site hosting the attack.

top 8 comments
sorted by: hot top controversial new old
[–] turdas@suppo.fi 5 points 1 hour ago* (last edited 1 hour ago)

If you read through the paper this looks like a total nothingburger. They get the training data for the neural network they use for activity classification from the target system. Unless you give advertises labeled activity data from your system, the attack will not be possible as demonstrated.

[–] GMac@feddit.org 4 points 1 hour ago* (last edited 1 hour ago) (1 children)

Another reason to be aggressively blocking attempts to run JavaScript from marketing (and other non critical) domains.

[–] morto@piefed.social 1 points 3 minutes ago

Is there a way to automate it?

[–] einkorn@feddit.org 8 points 2 hours ago (1 children)

Letting those marketing fuckwits on the internet was a mistake ...

[–] Steve@communick.news 2 points 2 hours ago

In principle, yes.
But the problem here is that they aren't fuckwits. They're too clever for our own good.

[–] Marshezezz@lemmy.blahaj.zone 3 points 2 hours ago (1 children)

Is there any way to exploit what they are doing to feed them a bunch of shit data to waste their time and effort? Would it even be worth any effort? I’m asking sincerely cos I have a lot of time on my hands wink wink nudge nudge

[–] orca@orcas.enjoying.yachts 2 points 1 hour ago (1 children)

I wonder if you could setup a virtual drive that gets picked up as an SSD and then automate and randomize everything that happens within it so it’s just noise. The problem is that this hack probably gives insight into every drive on the system, so the exploit would still grab that data; it would just run alongside the bullshit stream of data.

[–] qprimed@lemmy.ml 2 points 1 hour ago

the attack should only have insight into the abstracted storage provided by the browser, so your idea of a virtual device that spits out random timing results is probably reasonable.

the issue is that timing being random, in and of itself, is a potential fingerprint when combined with other data from your browser - unless everyone is doing it as well.

all I can say is I give thanks for noscript every single day.