How Websites Can Spy on Your Other Browser Tabs—And What That Means

Researchers at Graz University of Technology have discovered a new way for websites to monitor what else you're doing online. They call it FROST, and it works by measuring how long it takes data to move to and from your hard drive—a timing trick that allows one website to figure out which other sites you're viewing in other tabs, and even which apps you're running outside the browser.

The attack uses an API called OPFS (Origin Private File System), which modern browsers provide to give websites fast access to storage. FROST exploits this by creating large files that take up about 60% of your available disk space, then watching how the timing of disk operations changes when other apps or tabs are also accessing your drive. A neural network—a type of AI—learns to recognize which applications and websites create distinctive patterns, like reading a fingerprint.

How It Works

FROST operates by flooding your SSD (solid-state drive) with write operations while measuring how long they take. When your other browser tabs or apps try to read or write to the disk at the same time, they slow down the attacker's operations in detectable ways. Think of it like measuring how traffic flow changes on a highway when you introduce congestion from different sources—each source has a characteristic pattern.

The timing variations get processed by a trained neural network, which has learned what distinctive patterns different apps and websites leave behind. So far, the researchers have shown this can identify common applications and websites with reasonable accuracy.

The key advantage of this approach is that it targets the storage layer—your hard drive—rather than the processor or memory, which security researchers have studied more thoroughly. Browser makers have spent years defending against attacks on those resources, but the storage subsystem has received less attention.

Breaking Browser Isolation

The discovery is significant because it breaks through assumptions about how isolated your browser tabs are from each other. A website loaded in one tab can now figure out what's open in your other tabs, even in different browser windows. It can also identify applications running outside the browser entirely—again, by watching the disk timing patterns.

This works even when those other tabs are just sitting in the background. If another tab periodically reads or writes files—for things like syncing, updating, or caching—that activity still leaves a detectable mark on disk timing.

A Pattern in Computer Security

We have seen this pattern of attacks before. Over the past two decades, researchers have found ways to eavesdrop on systems by measuring timing—how fast operations complete. They started with CPU cache (the processor's fast memory), then moved to memory bus timing, and more recently to GPU patterns. Now they're looking at storage. Each time one attack vector gets fixed, researchers probe the next layer of the computing stack for similar weaknesses.

What's particularly noteworthy here is that FROST weaponizes a legitimate browser feature designed for good reasons. The OPFS API was created to let web applications store data quickly—useful for offline functionality or apps that work with large files. FROST shows how this performance-oriented feature can be turned into a security risk.

The broader point is worth flagging: as web applications gain access to more of your computer's resources through new browser APIs, the potential for information leakage through timing channels grows. Each new capability creates a new surface area for clever attacks.

What Can You Do About It

For now, you can reduce your risk by keeping fewer untrusted websites open at once. If fewer tabs are accessing your disk, timing analysis becomes less effective. You might also consider using separate browser profiles for sensitive activities—treating them like separate computers, isolating what malicious sites can observe.

The harder question belongs to browser makers. OPFS was created because web applications genuinely need fast storage access. But the implementation also creates timing "oracles"—side channels—that attackers can exploit. Browser vendors now face a choice: they can add complexity to slow down or randomize storage operations, impose rate limits, or isolate storage access more carefully. But any fix has to account for the legitimate performance needs that OPFS was built to satisfy in the first place.

In my view, this research is a good reminder that security isolation requires thinking about all the resources your computer shares—not just the obvious ones like processor and memory. Your hard drive, network connections, and other infrastructure all potentially leak information through timing if an attacker knows how to listen carefully. As web applications become more powerful, browsers need a security model that accounts for these less visible attack surfaces.

The research suggests that side-channel attacks will keep finding new targets as browsers expose more hardware capabilities. The pattern of cat-and-mouse between attackers and defenders is likely to continue, moving through different layers of the system as each one gets hardened against the previous generation of exploits.