A newly disclosed browser-based attack called FROST is raising fresh concerns about how modern web technologies can quietly erode user privacy. Security researchers say malicious websites can now analyze subtle SSD activity patterns to determine which websites users are visiting, what applications are running, and even track activity across browsers without requiring downloads, permissions, or clicks.
The attack, formally known as “Fingerprinting Remotely using OPFS-based SSD Timing,” was developed by researchers at Graz University of Technology in Austria. Unlike older side-channel attacks that relied on native code or privileged operating system access, FROST works entirely inside a standard browser sandbox using JavaScript and modern browser storage APIs.
Researchers say the technique abuses the Origin Private File System, or OPFS, a browser feature designed to help web apps store large local files efficiently. Chrome, Safari, and other Chromium-based browsers support the API to improve performance for applications such as browser-based editors, productivity tools, and media software.
According to the research paper, attackers can create massive files inside the browser’s storage sandbox and continuously perform random SSD reads. Because the file size exceeds available RAM, the operating system is forced to access the physical SSD directly rather than cached memory. That activity produces tiny latency variations whenever other apps or browser tabs compete for SSD access.
Those latency fluctuations effectively become a behavioral fingerprint.
The findings are alarming because the attack reportedly requires no explicit permissions, browser extensions, malware installation, or user interaction beyond opening a malicious webpage. Researchers demonstrated the attack functioning across tabs and even across separate browsers running on the same device, adding to growing cybersecurity concerns surrounding modern tracking systems.
The FROST paper also explains how attackers can bypass browser timing protections using Cross-Origin Opener Policy and Cross-Origin Embedder Policy headers, which re-enable access to high-resolution timers such as performance.now(). These precise timers are critical for measuring SSD contention with enough granularity to infer user activity.
Security researchers have long warned that browser fingerprinting is becoming increasingly sophisticated as APIs expose deeper hardware-level behavior. Earlier attacks focused on CPU cache timing, GPU workloads, network metadata, and memory access patterns. FROST expands that threat landscape into SSD activity monitoring.
The researchers disclosed their findings to Google, Mozilla, and Apple before publication. Responses from browser vendors appear mixed. Google reportedly stated that fingerprinting attacks are not considered security vulnerabilities under its current classification model. Apple said the issue is “currently out of scope,” while Mozilla acknowledged the findings but has not implemented mitigations yet. The disclosure comes amid rising Google Chrome privacy concerns tied to evolving web tracking techniques.
One particularly concerning detail involves storage allocation limits. Researchers noted that Chrome and Safari may allow websites to consume up to 60% of a device’s available storage through OPFS. On a 256GB SSD, that could mean more than 150GB allocated to the attack mechanism.
The attack currently appears most effective on macOS and Linux systems, though the broader implications for Windows systems and enterprise environments remain under investigation. Researchers also demonstrated covert communication channels using SSD contention, achieving transfer rates approaching 900 bits per second on macOS. The findings may intensify scrutiny around enterprise-focused threats including recent Windows zero-day vulnerability disclosures and Microsoft Defender vulnerabilities.
Privacy advocates warn that side-channel attacks like FROST are especially dangerous because they often bypass traditional security expectations. Users may assume browser sandboxing and permission prompts prevent websites from observing device-level behavior, but timing-based attacks exploit indirect hardware interactions rather than direct data access. Experts say the trend reflects a broader shift toward digital surveillance methods embedded inside ordinary browsing experiences.
The disclosure arrives amid growing scrutiny of browser fingerprinting and surveillance technologies. Regulators and browser vendors have spent years attempting to limit invasive tracking methods such as third-party cookies, canvas fingerprinting, and network fingerprinting. FROST suggests attackers are increasingly shifting toward hardware-level telemetry that is much harder to block without sacrificing browser performance or functionality.
For now, there is no universal mitigation available for regular users. Security researchers suggest limiting exposure to untrusted websites, using hardened browser privacy settings, disabling unnecessary browser features where possible, and isolating browsing sessions may help reduce risk. Some experts also believe stricter timer restrictions and OPFS access limitations could eventually reduce the attack’s effectiveness. Users already worried about broader Android security threats and spyware detection issues may see the FROST disclosure as another warning sign for the future of browser privacy.
