What Is FROST and Why It Matters
FROST, short for Fingerprinting Remotely using OPFS-based SSD Timing, is a browser-based side-channel technique that measures subtle timing differences in solid-state drive operations to infer which websites and applications are active on a user’s system, enabling SSD tracking vulnerability exploitation without installing software or relying on traditional cookies. Unlike classic tracking scripts or browser fingerprinting, FROST listens to the storage layer. It focuses on SSD contention, the slowdown that occurs when several programs compete for access to the same drive. By watching these performance ripples, a malicious page can build a profile of other activity on the machine. This makes FROST particularly troubling: visiting a single web page can reveal hints about other tabs, apps, or workloads, even though the browser sandbox never grants direct file access.
How Browser Storage Becomes a Side-Channel
FROST turns a legitimate browser feature—the Origin Private File System (OPFS)—into an attack vector. OPFS gives each website its own sandboxed storage space for local data, intended to support offline apps and large files. FROST abuses this by creating large OPFS files and repeatedly reading or writing them via JavaScript. As the page performs these operations, it measures how long each one takes. When other apps or browser tabs hit the same SSD, their activity creates contention, and those timing measurements shift in recognizable patterns. These timing fingerprints can reveal whether specific sites or applications are active. The key insight is that browser storage exploitation does not need malware, extensions, or elevated privileges: a user only needs to load a page containing the attack code. Previous SSD-based side-channel attacks required local software; FROST moves the entire method into the browser.
New Website Tracking Methods Beyond Cookies
Traditional website tracking methods rely on cookies, browser fingerprinting, and scripts that watch user interactions. FROST bypasses these by observing hardware behavior instead of browser state. Once a site controls JavaScript and OPFS access, it can run long-lived measurements in the background, building a timing profile of SSD activity over minutes or even hours. From that profile, it may infer which other sites you have open, when heavy applications start or stop, or whether you are running certain workloads. The same mechanism can even form a covert communication channel, with one process modulating SSD usage and another process decoding the pattern from timing changes. Because this activity happens below the level of cookies and local storage, it can slip past many privacy tools designed to block trackers, leaving users unaware that their drive behavior is being monitored.
Limitations, Detection Signs, and User Exposure
FROST is powerful but not unlimited. It only observes contention on the SSD that stores the browser’s OPFS data, so systems with separate drives for different workloads may leak less. Long-running measurements also need large OPFS files, which can consume noticeable disk space. Users who monitor storage usage might spot unusual growth linked to a particular website. The attack does not grant direct access to files and does not escape the browser sandbox; it infers patterns rather than reading documents or passwords. Still, the risk is that most users will not realize their SSD activity is visible through timing alone. As browsers evolve into full application platforms for office suites, editors, and IDEs, the line between local and web apps blurs, and hardware-level side-channels like FROST become a practical concern for routine browsing.
Mitigations and What to Watch For Next
Researchers propose several defenses against the FROST technique security issue. One option is to limit how much data sites can store via OPFS, making long, detailed measurements harder. Another is to reduce the precision of timing APIs available to JavaScript, blurring the SSD timing signals that FROST depends on. Browsers could also alert users when a site stores unusually large amounts of local data, signaling possible abuse of browser storage exploitation. The findings were disclosed to major browser vendors, with differing responses on whether this counts as a security vulnerability. Meanwhile, users can periodically clear site data, audit storage usage, and avoid leaving unknown tabs open for long periods. FROST shows that even without cookies, the hardware beneath your browser can become a tracking surface—and that future privacy protections must consider these low-level channels.