With the increasing scope of cyberattacks, your browsing habits may not be as private as you think. Security researchers from Ars Technica have identified a new attack technique that allows malicious websites to determine which other sites and applications you have recently visited. Even if you do not click on anything, download files, or grant permissions, simply visiting the page can be enough.
How Are Websites Spying on Your Browsing Activity?
The technique enabling cybercriminals to analyse browsing patterns is known as "Fingerprinting Remotely Using OPFS-Based SSD Timing." In simple terms, every website and application you use generates its own unique pattern of activity on your SSD, the storage drive inside your computer.
The attack exploits the Origin Private File System (OPFS), a feature that allows websites to store files on your local drive without repeatedly asking for permission.
An attacker's webpage creates a large file on your drive and then monitors tiny speed fluctuations that occur when the SSD is busy handling other tasks. These fluctuations are then fed into an AI model trained to recognise the distinctive patterns associated with specific websites and applications.
Researchers found that the technique was able to identify websites a person had visited with approximately 89 percent accuracy and determine which applications were running with around 96 percent accuracy when tested on an Apple M2 Mac.
The attack also works across multiple browsers simultaneously. This means that visiting the attacker's page in Chrome could still reveal what you are doing in Safari.
Here's How You Can Protect Yourself
It may come as a relief to know that this technique only works while the malicious tab remains open. Once the offending tab is closed, the attack stops immediately.
Beyond that, browser-level fixes could help address the issue. These may include measures such as limiting the amount of disk space that OPFS can access or claim, making it more difficult for attackers to gather meaningful SSD activity data.
