Researchers have discovered that websites can measure solid-state drive activity through the browser using JavaScript, creating a new privacy vulnerability for visitors.
A new attack vector has emerged that allows websites to infer what files users have stored on their computers by measuring SSD activity patterns through the browser.
The technique works by analyzing timing variations in how quickly data is accessed from storage. When a file exists on a user's SSD, it loads faster than when the system needs to fetch data from elsewhere. Websites can detect these subtle timing differences using simple JavaScript running in the browser.
Researchers demonstrated that this method can identify whether specific files—such as documents, applications, or media—are present on a user's device. The attack requires no special permissions and works across different browsers and operating systems.
The vulnerability is significant because it reveals information about users without their knowledge or consent. An attacker could potentially determine:
- What applications are installed
- Whether specific files or folders exist
- User behavior patterns based on file access
- Information about system configuration
This creates privacy concerns beyond traditional browser tracking. Unlike cookies or fingerprinting techniques that websites already use, SSD activity monitoring is nearly invisible and difficult to detect or prevent.
Current browsers offer limited defenses against this type of attack. Mitigations would require changes to how browsers handle timing measurements or access to storage information. Some browsers have already implemented protections against similar timing-based attacks, but those may not fully address this specific vulnerability.
The discovery adds to growing concerns about what information websites can extract from visitor devices. Privacy advocates recommend browser developers implement protections, while users have limited recourse beyond using privacy-focused browsers with additional hardening options.
The research highlights how web technologies initially designed for legitimate purposes can be repurposed for surveillance. As browsers become more powerful, the potential for misuse of their capabilities expands accordingly.
U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.
Tailscale disclosed a critical vulnerability in its SSH implementation that allowed attackers to gain root access through insecure argument handling. The flaw has been patched in recent versions.
A new study found that social media platforms referred over 5.7 million visits to nonconsensual deepfake pornography sites between December 2025 and March 2026, with YouTube and X accounting for the majority of traffic.