How Websites Can Secretly See What You're Doing in Other Browser Tabs
Researchers at Graz University of Technology have discovered a new way for websites to spy on what you're doing in other browser tabs — and even what apps you're running on your computer. The attack is called FROST, and it works by measuring how fast the hard drive responds to requests.
Here's how it works: when you visit a website, that website can write huge files to your computer's storage space (up to 60% of your available disk space in Chrome and Safari). While those files are being written, the website measures how quickly the storage system responds. When you're using other tabs or apps, they also need to use the hard drive, which causes tiny delays in the timing. By analyzing these timing patterns, a website can figure out which other websites you have open and which programs you're running.
To make sense of all these timing patterns, the researchers used artificial intelligence trained to recognize the storage "fingerprint" of different websites and applications. Each program and website accesses storage in slightly different ways—like a unique signature that can be read through timing.
How the Attack Breaks Browser Safety Rules
Modern browsers are supposed to keep your tabs separate from each other. A website in one tab should not be able to see what's happening in another tab. FROST breaks this rule by using the storage layer—the part of your computer that stores files—as a way to peek across these boundaries.
The attack even works on websites you're not actively using. If a tab is open in the background and checking for updates or loading cached data, it generates enough storage activity to be detected and identified. This means a malicious website can spy on you even if you've switched away from another tab.
FROST can also work across different browsers. A website could potentially figure out what's happening in Firefox while you're viewing it in Chrome, because both browsers use the same hard drive.
Why This Happened
Browsers gave websites access to a storage feature called OPFS (Origin Private File System) so that web applications could work faster and handle large amounts of data while you're offline. This was a good thing for performance. But OPFS created an unexpected side effect: websites can now measure storage timing in ways that reveal information they shouldn't have access to.
This is not the first time researchers have found information leaking through system timing. In the early 2000s, researchers discovered that measuring CPU (processor) timing could leak secrets. Then came similar attacks through memory. Now it's storage. As browsers give web applications more power and access to the hardware underneath, new hiding spots for attacks keep appearing.
What You Can Do Right Now
You can reduce your risk by keeping the number of untrusted website tabs open at the same time to a minimum. Fewer open tabs means fewer storage operations happening at once, which makes it harder for the attack to work.
Another option is to use container tabs or separate browser profiles for sensitive activities. This puts a wall between what websites can see in one profile and what they can see in another.
What Comes Next
In my view, this research is a useful reminder that security requires thinking about all the ways information can leak—not just the obvious ones like your passwords or the data you type. Storage systems, just like memory and processors, can be used to spy on you if we're not careful.
Browser companies will need to decide how to fix this without slowing down websites. They might add randomness to storage timing, limit how fast websites can do storage operations, or isolate storage more carefully between different websites. But any fix has to keep websites running at good speeds, which is why this is harder than it sounds.
As web applications become more powerful, the security protections around them have to get stronger too. FROST shows that even the boring plumbing—the storage system—needs to be part of that security thinking.
