A malicious website can now accurately determine what other sites a user has visited and applications they have open with up to 96% accuracy, simply by visiting their page. This capability stems from a newly discovered method, dubbed FROST, which allows websites to access data stored in a computer's solid state drive (SSD) without direct user interaction, according to Futurism. This allows for covert profiling of users by websites spying on hard drives in 2026.
Web browsers are designed to isolate individual websites within secure sandboxes. However, the FROST attack demonstrates these sandboxes can be exploited, inferring sensitive system-level user activity, as detailed by ZME Science. This challenges the fundamental promise of browser-based security.
Without architectural changes to browser security or SSD interaction, users face an escalating risk of covert surveillance from seemingly benign web interactions. Cybersecurity researchers developed FROST (Fingerprinting Remotely using OPFS-based SSD Timing) to spy on browser activity by measuring SSD load via an API, according to dev.ua. This method leverages standard JavaScript within a browser sandbox to measure SSD access latency, revealing other open sites and applications.
How Websites Access User Activity Data
- A machine learning model used with the FROST technique predicted accessed websites with an accuracy rate of 88.95 percent and accessed applications with 95.83 percent accuracy, according to Futurism.
- The FROST attack achieved an F1 score of 88.95% in identifying visits to the top 50 websites and 95.83% in identifying 10 built-in macOS apps, according to ZME Science.
- Security researchers developed FROST to identify visited websites with roughly 89% accuracy and running applications with roughly 96% accuracy on a test Mac by measuring SSD access latency through JavaScript, according to Tom's Hardware.
- FROST identified visited websites with about 89% accuracy and launched applications with about 96% accuracy on a test Mac, according to dev.ua.
The consistently high accuracy across multiple sources underscores FROST's potent capability to precisely profile user activity. This makes it a significant threat for targeted surveillance. The attack leverages standard web technologies to infer activity across the entire computer, challenging the isolation model browsers are built upon.
Browser Security: Why Sandboxes Are Failing
The FROST attack fundamentally bypasses traditional user interaction requirements. A malicious website can passively gather sensitive user activity data simply by being visited. The attack's high accuracy, up to 96% for applications, proves that indirect timing measurements within a browser sandbox provide a precise fingerprint of system-level activity.
This precision proves the browser sandbox is no longer a sufficient barrier against sophisticated digital espionage. Companies relying on browser-level isolation for user privacy operate under a false sense of security. The ability for a malicious website to infer a user's entire digital footprint without interaction means every visit now risks a data leak.
FROST leverages standard JavaScript and SSD timing to achieve such high accuracy. A systemic vulnerability requiring immediate attention from browser developers, not just patch fixes, is indicated. The successful demonstration on a macOS test system suggests this vulnerability is not OS-specific, but rather a systemic issue related to how browsers interact with underlying hardware.
Why Web Browsers Collect Data From Your Hard Drive
The attack exploits the nuanced interaction between web browsers and underlying hardware, specifically Solid State Drives. Browsers utilize APIs, like the Origin Private File System (OPFS) API, which allows web applications to store and access files in a sandboxed environment on the user's local disk. This legitimate functionality enables persistent data storage for web applications.
FROST weaponizes this interaction by measuring the timing of SSD operations. When an SSD accesses data that is already cached, it responds faster than when it must retrieve data directly from the drive. By repeatedly querying specific file types or data patterns linked to common applications or website caches, a malicious script can detect these timing differences. This allows for an inference of whether an application is running or a website has been recently visited, without direct access to system processes or browser history.
This method blurs the line between browser and operating system security. It leverages standard web technologies to infer activity across the entire computer, challenging the isolation model browsers are built upon. A systemic issue related to how browsers interact with underlying hardware, affecting a wide range of users, is suggested.
Protecting Your Hard Drive From Website Snooping
The implications of the FROST attack extend beyond individual user privacy. Malicious actors, including state-sponsored groups or sophisticated advertisers, can leverage this technique to profile users. This enables targeted surveillance or highly personalized advertising based on a user's entire digital footprint, not just their activity on the visited malicious site.
Browser developers face an immediate challenge to address this systemic vulnerability. Patch fixes alone may not suffice, as the attack exploits fundamental interactions between web technologies and hardware. A fundamental rethink of web security models is necessary. This may involve re-evaluating the scope of APIs that permit timing measurements or implementing more robust hardware-level isolation within the browser environment.
User awareness regarding these sophisticated attacks also becomes critical. While direct user action to prevent FROST is limited, understanding the risks associated with visiting potentially malicious websites is important. By Q3 2026, major browser developers like Google and Mozilla will likely need to implement new architectural safeguards to restore confidence in browser-level privacy and security.
Can websites access my hard drive?
Websites cannot directly access your hard drive's file system without explicit user permission. However, the FROST attack demonstrates an indirect method. It infers activity by observing subtle timing differences in your Solid State Drive (SSD) operations, rather than directly reading files. This allows an attacker to deduce what applications are running or what other websites have been visited.
How do websites spy on users?
Beyond direct tracking cookies, websites can now spy on users through advanced side-channel attacks like FROST. This method involves a malicious script measuring the latency of data access on a user's SSD via standard browser APIs. These timing measurements reveal patterns of system activity, allowing the site to build a profile of the user's digital behavior across their entire computer.
Are there ways to prevent websites from accessing my hard drive?
For attacks like FROST, user-level prevention is challenging due to its stealthy nature within the browser sandbox. Standard browser security settings and ad blockers offer limited protection against timing-based side-channel attacks. Future prevention will likely depend on browser developers implementing architectural changes to mitigate timing leakage or further restrict resource access for web pages.
