FROST Attack: How Websites Can Secretly Monitor You Through Your SSD

A New Browser-Based Spying Technique Has Arrived

For years, websites have employed increasingly sophisticated methods to track unsuspecting visitors — logging browsing histories, capturing device fingerprints, and even recording keystrokes and mouse movements in real time. High-profile companies like Meta and Yandex have faced scrutiny for similar privacy violations. Now, researchers have uncovered yet another alarming surveillance method, and this one operates through your computer's solid-state drive.

The technique is called FROST — short for Fingerprinting Remotely Using OPFS-Based SSD Timing — and it enables a hostile website to silently determine which other websites you have open and which applications are running on your device, all without requiring any action on your part beyond visiting the malicious page.

How the FROST Attack Actually Works

Exploiting a Side Channel

FROST is built on a concept known as a side-channel attack — a method of extracting sensitive information by observing indirect physical signals rather than directly breaching a system. These signals can include electromagnetic emissions, data caches, or the time it takes to complete specific operations. In this case, FROST targets what researchers call a contention side channel, which monitors how multiple processes compete for access to a shared resource.

By precisely measuring the input/output (I/O) timing of a visitor's SSD, researchers demonstrated they could identify which websites were open in other browser tabs — even across different browsers — and which applications were running on the device at that moment.

The Role of the Browser's File System

What makes FROST particularly notable is that it runs entirely within the web browser using JavaScript. It leverages the Origin Private File System (OPFS), a sandboxed storage space that websites can allocate for their own use without requiring any visitor interaction or permission. Although each OPFS instance is isolated from other websites and the broader operating system, JavaScript can still measure the timing of SSD read operations — and those measurements reveal a surprising amount.

The attack works by continuously performing random reads from a large OPFS file and detecting latency fluctuations caused by other active processes competing for SSD access. These timing traces are then fed into a pre-trained convolutional neural network (CNN) — a deep learning model capable of analyzing patterns — which classifies the traces to identify what the user has open on their system.

As the researchers explained: "SSD contention caused by user activity causes measurable latency differences for these read operations. By training a convolutional neural network on these traces, the attacker can fingerprint user activity on the host system by classifying new traces using the trained model."

Why Browsers Are Increasingly Vulnerable

Modern web browsers are no longer simple document viewers. Companies like Google, Microsoft, and Adobe have transformed them into powerful platforms hosting full office suites, video editors, and integrated development environments. While these advancements have opened exciting new possibilities, they have also dramatically expanded the browser's attack surface — creating new opportunities for exploitation.

FROST is a direct consequence of this evolution, taking advantage of powerful browser APIs that were originally designed to enhance web application performance.

Known Limitations of the Attack

FROST is not without its constraints. Most significantly, the OPFS file used to conduct the attack must be exceptionally large — potentially exceeding one gigabyte. Deploying this at scale would likely raise red flags for many users who notice unusual storage consumption.

Additionally, the OPFS file must reside on the same SSD being used by the target system. If a user's applications are stored on a separate drive, those apps would fall outside the attack's detection range. It is also worth noting that no confirmed FROST attacks have been observed in the wild to date.

Researchers successfully carried out the complete FROST attack on an Apple M2 Mac. On Linux, the underlying measurement technique was validated, and researchers anticipate comparable results for a full attack given the similar performance characteristics. Windows was not included in the testing scope.

How to Protect Yourself

Fortunately, there are practical steps users can take to reduce their exposure:

• Close unused browser tabs promptly, as open tabs generate the SSD activity that FROST measures.
• Monitor OPFS file creation — tech-savvy users can track which websites are allocating large amounts of storage.
• Stay updated — the researchers have proposed that browser developers address this vulnerability by capping the maximum allowable size of OPFS files, which would effectively neutralize the attack.

Browser makers have been made aware of the issue, and solutions are being explored at the platform level.

Looking Ahead

The research detailing FROST is scheduled to be presented at the DIMVA security conference in July, where the full technical methodology will be available for review. As browsers continue to grow in complexity and capability, attacks like FROST serve as a stark reminder that expanding functionality always comes with expanded risk — and that the next privacy threat may already be hiding in plain sight.