Websites Spying On You Via SSD Activity Should Receive a FROST-y Welcome

A New Way To Strip Away Mac Users Privacy

Websites love to spy on anyone who visits them, and are constantly coming up with new ways to do so as users find ways to block them.  You might think this could be solved by explicitly asking permission and maybe even offering rewards for allowing sites to track you across the web, but that is far too reasonable for these times.  LSOs, cookies, invisible pixels, browser preferences and even mouse movement habits have all been used in the past and now we have something called FROST.  The only good news is that this invasion of privacy seems to only work on Apple devices.

FROST uses the activity on your SSD to spy on what other sites you have open, in the browser with the nosey site and and other browsers you happen to have open.  It uses a contention side channel leak, looking at the interaction of various processes competing for resources on your system and, with a little JavaScript magic the site can get a good idea what other sites you might be visiting.  The JavaScript runs without any interaction from the user, and essentially creates a large enough file on your SSD that when the script accesses it the other sites accessing storage on your SSD has to compete for I/O operations and can reveal data on the other sites.

Ars Technica dives into all of the technical details of FROST here.  If you want to know if a site is spying on your other tabs because you are allergic to closing tabs once you are done with them, there are browser extensions which let you browse the files on your local OPFS, thee OPFS Explorer extension is available for Chrome and Firefox.  If you see a file around 1GB or so in size, then FROST is snooping around your system.