FROST Attack Uses SSD Timing Side Channel to Fingerprint Browser Users
Researchers have demonstrated FROST, a JavaScript-only side-channel attack that exploits the Origin Private File System to measure SSD access timing and identify websites and applications a user is running.
A new browser-based side-channel attack named FROST (Fingerprinting Remotely using OPFS-based SSD Timing) allows malicious websites to track visitors by measuring tiny variations in SSD access times, turning normal browser activity into a privacy leak. Researchers demonstrated that the attack uses the browser's Origin Private File System (OPFS) to generate disk activity and read timing signals without requiring native code or special privileges. The technique is particularly concerning because it operates entirely within the browser sandbox, bypassing traditional defenses.
The attack works by having a malicious webpage continuously measure storage latency while the victim browses normally or uses other applications. The researchers found that OPFS can be used to create large files on disk that are large enough to force real SSD reads rather than memory cache reads. This allows the attacker to collect timing traces with enough detail to classify user activity. The attack does not steal data directly but instead watches how long SSD reads take while the victim is using the computer, then looks for patterns that match website visits or app launches.
On macOS, the researchers reported that the attack could predict accessed websites with an F1 score of 88.95 in a closed-world test and 86.95 in an open-world test. They also achieved an F1 score of 95.83 for application fingerprinting. The same work also built a covert channel between a native app and a malicious website, reaching a true capacity of 661.63 bits on Linux and 891.77 bits on macOS in one setup. This demonstrates that the timing leak is not just theoretical but can carry usable information.
The impact goes beyond website tracking. The research also showed that application usage can be fingerprinted, meaning attackers may infer whether someone opened tools such as Safari, System Settings, or other native apps. For privacy, that is a serious problem because it reveals behavior the user would not expect a web page to observe. The attack is dangerous because it does not depend on a browser crash, malware installation, or a classic exploit chain. A user only needs to visit an attacker-controlled site, and in the OPFS scenario, no extra permission prompt is required.
According to the researchers, limiting large OPFS storage usage, reducing access to high-resolution timers, and making browser file-system access more permission-based could mitigate the attack. They also note that browser vendors could alert users when many origins rapidly consume large amounts of OPFS storage. In practice, stronger browser restrictions and less precise timing sources would make this attack style harder to run.
The FROST attack highlights how even ordinary web features can create powerful side channels. SSD timing may sound obscure, but this research shows it can be used to quietly and remotely track people through the browser. As browsers continue to add capabilities like OPFS for legitimate applications, the security community must remain vigilant about unintended data leaks that can be exploited for fingerprinting and covert communication.