Bright Nexus

Published on June 9, 2026

New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing

Severity

Medium

Detail

Researchers from Graz University of Technology have identified a new browser-based side-channel attack called FROST(Fingerprinting Remote Operating System Timing) that allows a malicious website to determine which websites a user visits and which applications they open by monitoring SSD access timing.

The attack abuses the Origin Private File System (OPFS), a browser storage feature introduced to support web applications that require local file storage. OPFS is available in major desktop browsers and allows websites to create and access sandboxed storage without requiring user permission. Unlike previous SSD timing attacks that required native code execution on the target system, FROST operates entirely within the browser sandbox using JavaScript. The attack does not require browser extensions, elevated privileges, or permission prompts, making it a remote and low-interaction privacy threat.

How?

The attack begins when a user visits a malicious website. The website leverages OPFS to create a file larger than the system’s available RAM, forcing file operations to interact directly with the SSD instead of being served from memory cache. The malicious page continuously performs randomized read operations against the large OPFS file while measuring access times using browser timing APIs. By enabling cross-origin isolation, the attacker can increase timer precision and obtain more accurate measurements.

When the user opens a website or launches an application that accesses the same storage device, disk contention occurs. These changes in SSD response times create identifiable timing patterns that can be monitored by the malicious page. Machine learning models trained on these timing traces can then infer user activity, including:

  • Identification of websites visited by the user.
  • Detection of locally executed applications.
  • Establishment of covert communication channels between native applications and browser content.

Testing performed on macOS demonstrated website identification accuracy approaching 89% and application identification accuracy exceeding 95% for selected pre-installed applications. The attack remains active only while the malicious webpage remains open in the browser. No evidence currently indicates active exploitation in the wild.

Recommendation

Organizations should assess exposure to browser-based side-channel monitoring and implement the following security measures:

  • Educate users to close untrusted browser tabs when not actively in use, reducing opportunities for long-running timing analysis.
  • Monitor browser storage consumption and investigate unusual creation of large OPFS-backed files.
  • Restrict access to untrusted websites through web filtering and secure browsing controls.
  • Deploy endpoint monitoring solutions capable of detecting abnormal browser storage activity and excessive disk access patterns.
  • Evaluate browser hardening options and future vendor security updates addressing OPFS abuse and high-resolution timing measurements.
  • Consider storage isolation strategies where sensitive workloads operate on separate storage devices from general web browsing activities.

Source

https://thehackernews.com/2026/06/new-frost-attack-lets-websites-track.html