FROST Lets Websites Track Other Tabs and Apps via SSD Timing in 1 Browser Session
Updated
Updated · Ars Technica · May 27
FROST Lets Websites Track Other Tabs and Apps via SSD Timing in 1 Browser Session
2 articles · Updated · Ars Technica · May 27
FROST lets a website infer which other sites a visitor has open—even in other browsers—and which apps are running, simply after the victim loads the attacking page.
The technique exploits SSD input-output timing through a contention side channel, using JavaScript and the browser’s Origin Private File System to measure storage delays.
Unlike earlier SSD side-channel attacks, FROST runs entirely inside the browser and needs no extra user interaction beyond opening the site.
The researchers say modern browsers’ expanded role as platforms for office suites, editors and IDEs has widened the attack surface, creating new privacy risks for web users.
As AI automates vulnerability discovery, are powerful browser features becoming the internet's most dangerous entry point?
Is constant surveillance the price for browsers that run powerful, desktop-like applications?
FROST: Browser-Based SSD Timing Attack Achieves 95% Application Fingerprinting and 891 Bits/s Data Exfiltration
Overview
FROST is a newly disclosed browser-based side-channel attack that uses subtle timing patterns from Solid State Drives (SSDs) to track user activity across browser tabs and even native applications. The attack works by exploiting the Origin Private File System (OPFS) API, which is meant for web apps to store private data but unintentionally creates a measurable side channel through its interaction with SSD hardware. By relying on this OPFS mechanism, FROST can secretly monitor and profile user behavior, highlighting a significant vulnerability in modern browsers and operating systems.