Researchers have uncovered a new technique called FROST that allows websites to monitor which apps and other websites users have open by exploiting subtle interactions with their devices’ solid-state drives (SSDs) through the browser.
What happened
The FROST attack, described in a recent research paper, uses JavaScript to measure timing differences in input-output (I/O) operations on a device’s SSD within the browser. By analyzing these timing differences—caused by competing processes accessing the SSD—the technique can infer activity such as websites open in other browser tabs or apps running on the same device. This is accomplished via a contention side-channel, a method that detects variations in system resource use to uncover sensitive information without direct user interaction.
FROST leverages the origin private file system (OPFS) API, which allows websites to create large files in sandboxed storage space without user permission. The attack continuously reads a large OPFS file—around a gigabyte in size—to detect latency shifts caused by other active processes. The collected timing data is then fed into a pretrained convolutional neural network (CNN) that classifies and fingerprints user activity.
The research team successfully demonstrated the full FROST attack on an Apple M2 Mac, showing it could accurately detect other browser tabs and running apps. They also confirmed the core SSD timing measurement works on Linux, though a complete attack was not tested. Windows was not tested.
Why it matters
This discovery highlights a new privacy risk emerging from increasingly complex web browsers that function as full application platforms. Unlike previous side-channel attacks requiring special conditions or software, FROST executes entirely within a browser using JavaScript, without requiring user interaction beyond visiting a compromised website.
The attack’s ability to detect user activity across sites and apps breaks existing browser sandbox protections and could be used for covert tracking, user profiling, or targeted surveillance.
While FROST demands large storage allocation—making large-scale deployment potentially detectable—it reveals vulnerabilities in current browser architectures and underscores the need for mitigations at the browser and operating system levels.
Background
Side-channel attacks exploit indirect leakage from hardware or software, such as timing variations or electromagnetic signals, to infer private information. Browsers today host complex applications including office suites and development environments, increasing their attack surface.
The OPFS API was introduced to allow persistent, site-specific storage for web apps, but this research reveals it can be abused to create timing side channels based on SSD access patterns.
The researchers suggest potential defenses such as limiting the size of OPFS files or monitoring their creation, and urge browser developers to address this class of vulnerability. The findings will be presented at the DIMVA security conference in July.
Sources
This article is based on reporting and publicly available information from the following source:
Read more Artificial Intelligence stories on Goka World News.