New FROST Attack Lets Websites Track Your Activity, Just by Watching Your SSD

It's possible that your solid-state drive (SSD) is discreetly revealing your offline and internet secrets. FROST (Fingerprinting Remotely using OPFS-based SSD Timing), a novel side-channel attack developed by researchers at Graz University of Technology, enables any malicious website to determine which other websites you are visiting and which apps you are running without requiring any native code, special permissions, or user interaction.

How the Attack Works

The Origin Private File System (OPFS), a valid browser API, is abused by FROST. Originally intended to support sophisticated web programs like in-browser editors and IDEs, OPFS allows web apps to store data on your local disk without requesting permission.

When you visit a website that is hosting the attack, the following occurs:

• Within its OPFS storage region, the page generates a giant file (more than 1 GB) that is too big for your computer's RAM to be concealed by the operating system in fast memory. The SSD must be physically touched by each read.

• It reads random 4 kB portions of that file repeatedly, timing each read with millisecond accuracy. Timing precision is typically blurred by browsers, however the website can restore sharpness by enabling cross-origin isolation.

• I/O resources are contested when a background application contacts the drive or another tab loads a webpage. The attacker's reads are momentarily slowed down by this "contention." A convolutional neural network that has already been trained receives the minute timing changes.

Uncomfortably Accurate

On a test Mac, FROST identified the top 50 websites with an F1 score of 88.95% in a closed‑world test, dropping only slightly to 86.95% when 300 unfamiliar sites were mixed in. For native macOS apps, the accuracy reached 95.83%. The attack also works across different browsers – running the malicious page in Chrome while you browse in Safari barely affects its success rate.

Previous SSD‑based attacks required native code with privileged kernel interfaces, which limited their practicality. FROST drops that requirement entirely, making the threat purely browser‑based and remotely exploitable.

Browser Vendors’ Response

Google, Apple, and Mozilla were informed of the research team's results. According to reports, Apple stated that the assault is "currently out of scope," Mozilla accepted the discoveries without making any quick changes, while Google does not view fingerprinting as a security flaw. This exposes hundreds of millions of users.

How to Protect Yourself

You can take the following actions to lessen your risk until browser manufacturers take action:

• Keep your browser up to date because the underlying API may be addressed by future fixes.

• Use a privacy-focused browser or a plugin; some community initiatives currently provide protection tailored to FROST. For instance, the "FROST Guard" plugin adds jitter to timing measurements and caps OPFS file sizes to neutralize the assault.

• Close any tabs you're not actively using. The attack requires an open tab to function, so closing it instantly halts the measurement.

• Run several drives: Because the OPFS file must be on the same physical disk as the targeted activity, the attack's efficacy is restricted if your machine has different SSDs for the operating system, apps, and browser cache.

How Bayon Technologies Group Can Help You Stay Safe

We at Bayon Technologies Group are aware that browser-based side-channel attacks, such as FROST, are a new category of privacy risks. These tiny time channels are frequently ignored by traditional endpoint security. We support organizations:

• To manage dangerous APIs like OPFS, evaluate browser-based hazards among your employees, and put group regulations in place.

• Manage extension-based protections (like FROST Guard) at scale and implement privacy-hardened browser setups.

• Encourage a culture of "tab hygiene" by teaching your staff about contemporary tracking methods and keeping an eye out for questionable site activity.

Keep your SSD from turning into a quiet spy. To protect your browsing environment from the upcoming wave of invisible tracking, get in touch with Bayon Technologies Group right now!