Graz Researchers Uncover FROST Attack With 96% App Fingerprinting via Browser OPFS
Updated
Updated · Tom's Hardware · May 28
Graz Researchers Uncover FROST Attack With 96% App Fingerprinting via Browser OPFS
3 articles · Updated · Tom's Hardware · May 28
FROST let a malicious webpage identify other open sites with about 89% accuracy and running apps with about 96% accuracy on a tested M2 Mac Mini.
OPFS enables the attack by letting sites create huge local files without permission; once the file exceeds available RAM, random 4 KB reads expose SSD latency spikes caused by other activity.
A convolutional neural network classifies those storage-level timing patterns, and the method worked across browsers, with Chrome-to-Safari testing showing only a 3.38% throughput difference from same-browser attacks.
Chrome and Safari can let a site claim up to 60% of disk space through OPFS—more than 150 GB on a 256 GB drive—making the attack noticeable but still feasible.
Google said fingerprinting is not a security vulnerability, Apple called the issue out of scope, and Mozilla acknowledged the findings, leaving near-term browser fixes unlikely.
As AI automates vulnerability discovery, are powerful browser features becoming the internet's most dangerous entry point?
Is constant surveillance the price for browsers that run powerful, desktop-like applications?
FROST: Browser-Based SSD Timing Attack Achieves 95% Application Fingerprinting and 891 Bits/s Data Exfiltration
Overview
FROST is a newly disclosed browser-based side-channel attack that uses subtle timing patterns from Solid State Drives (SSDs) to track user activity across browser tabs and even native applications. The attack works by exploiting the Origin Private File System (OPFS) API, which is meant for web apps to store private data but unintentionally creates a measurable side channel through its interaction with SSD hardware. By relying on this OPFS mechanism, FROST can secretly monitor and profile user behavior, highlighting a significant vulnerability in modern browsers and operating systems.