What FROST Is and Why SSD Behavior Matters
FROST is an SSD tracking technique that lets websites infer what else you are doing on your device by measuring subtle timing patterns in your drive’s activity through the browser, avoiding traditional cookies and visible trackers while still revealing meaningful details about your behavior and system workload. Instead of relying on identifiers like cookies or browser fingerprinting, FROST—short for Fingerprinting Remotely using OPFS-based SSD Timing—turns your storage hardware into a side channel. It observes how long storage operations take when different apps or websites compete for the same SSD, a phenomenon called SSD contention. Those timing differences form a kind of behavioral fingerprint that can hint at which sites or applications are active. This makes FROST a new class of website tracking methods that works below the surface of standard browser privacy controls and ad-blocking tools.
How FROST Exploits the Browser’s Origin Private File System
FROST works by abusing the Origin Private File System (OPFS), a browser feature that gives each website its own sandboxed storage space. With a bit of JavaScript, a page can create a large OPFS file and repeatedly read and write to it, measuring how long each operation takes. When other apps or browser tabs are also using the same SSD, contention slows some of these operations in recognizable patterns. By collecting these timing measurements over time, the site can infer whether specific websites or applications are active. According to the researchers, this is the first attack that uses OPFS to leak information from a system through JavaScript alone. You do not need to install malware, add extensions, or grant special permissions—visiting a single page that hosts the attack code is enough to expose you to this FROST privacy threat.
Why SSD-Based Tracking Is Harder to Detect and Block
Unlike cookies or third-party trackers, FROST hides inside normal-looking storage operations, making it far harder for standard privacy tools to flag. Ad blockers, tracker-blocking extensions, and private browsing modes focus on blocking known scripts, cross-site requests, or obvious identifiers. FROST sidesteps these defenses by using built-in browser APIs in a way they were not originally designed for. Because OPFS is meant for modern web apps and offline functionality, disabling it outright can break legitimate tools such as online office suites or editors. The technique also does not read your files directly or escape the browser sandbox; it only measures timing. That subtlety means it can operate quietly in the background as long as a tab is open, adding a new, less visible layer to the arsenal of website tracking methods.
Limitations of FROST—and What Still Keeps You Safer
FROST has real constraints, which offer some natural friction for attackers. Long-running measurements work best when the script can create a large OPFS file, which consumes noticeable disk space over time. Users who pay attention to available storage or who regularly clear browser data may notice unusual disk usage from a single website. The attack also depends on the activity it wants to fingerprint running on the same SSD as the browser. That means application fingerprinting is less reliable on systems that separate workloads across different drives, while website fingerprinting remains more feasible because browsers usually store OPFS data in their default location. Importantly, FROST does not bypass the browser sandbox or grant direct access to your stored files. It observes side effects, not contents, which limits the kind of data it can reveal about your system.
Practical Steps to Improve Your Browser Privacy Protection
You cannot fully control how browsers implement OPFS, but you can reduce your exposure to the FROST privacy threat with a few habits and settings. First, regularly clear site data and local storage, including “offline” or “site” files in your browser’s privacy menu; this can delete large OPFS files an attacker relies on. Second, use privacy-focused browsers or profiles that restrict high-precision timing, limit storage quotas, or isolate sites more aggressively. Some browsers already reduce timer precision to weaken side-channel attacks. Third, watch storage and permissions: periodically review which sites are allowed significant local storage and remove those you do not trust. Finally, keep browser and operating system updates enabled, since vendors may introduce mitigations like tighter OPFS limits or warnings when a site stores unusually large amounts of data.