New FROST Attack Spies on Websites and Apps Through SSD Timing

A new technique named FROST (Fingerprinting Remotely Using OPFS-based SSD Timing) allows websites to spy on visitors by measuring subtle interactions with their solid-state drives, according to research reported by WIRED. The attack enables sites to monitor other websites a visitor is viewing and what apps are open on their device—all without requiring any interaction beyond opening the malicious site.

How FROST Works

FROST exploits a contention side channel, a form of leak resulting from physical manifestations such as the time required to complete a task. By measuring the timing of certain I/O operations on the visitor's SSD, researchers were able to determine the websites open in other tabs—even on other browsers—and the apps open on the device. The attack runs entirely in the browser using JavaScript that interacts with the OPFS (origin private file system), an allocated storage space reserved for a specific site. Websites can create an OPFS file with no user interaction.

While each OPFS is sandboxed and isolated from other sites and the device system, the JavaScript can measure I/O interactions. Those measurements are then run through a pretrained convolutional neural network (CNN)—a deep learning system used to analyze text, audio, and images—to deduce the various apps and websites open on the device. As the researchers explained: "The attacker continuously measures SSD contention by performing random reads from a large OPFS file. SSD contention caused by user activity causes measurable latency differences for these read operations. By training a convolutional neural network (CNN) on these traces, the attacker can fingerprint user activity on the host system by classifying new traces using the trained model."

Limitations of the Attack

FROST has several limitations that reduce its practical threat at scale. First, the OPFS file must be extremely large—likely a gigabyte or more—which would be detected by many users. Second, the OPFS file must be stored on the same SSD the visitor is using. This works for tracking open websites since the browser's default location uses the system drive, but if apps reside on a separate SSD drive, they cannot be detected.

Defensive Measures

One of the simplest ways to prevent FROST attacks is to close tabs as soon as they are no longer needed. More technically savvy users can monitor the creation and size of OPFS files allocated by unknown websites. The researchers also proposed that browser makers could shut down this side channel by, for example, limiting the maximum size of such OPFS files.

Implications for Enterprise Cybersecurity

For enterprise technology leaders—particularly those managing supply chain systems that rely on browser-based applications—this attack vector underscores the growing attack surface of modern browsers. The researchers noted: "Web browsers have evolved from simple document viewers into complex platforms capable of running sophisticated applications. Companies like Google, Microsoft, and Adobe have developed full-fledged office suites, photo- and video editors, or even integrated development environments (IDEs) that run entirely within the browser." These capabilities, while powerful, "also increase the browser's attack surface, and some have already been shown to introduce new vulnerabilities."

While this specific attack has not been observed in the wild, it demonstrates the continued evolution of browser-based surveillance methods, previously seen with techniques targeting browsing histories, device fingerprints, and real-time keystroke monitoring. Even major firms like Meta and Yandex have been caught engaging in privacy-invasive tracking, according to the report. Enterprises should review their browser security policies and consider restricting OPFS usage or limiting the storage quota for third-party sites.

Sources: