What Is FROST and Why It Matters for Your Privacy
FROST, short for Fingerprinting Remotely using OPFS-based SSD Timing, is an SSD tracking vulnerability where websites measure how your storage device responds to their own file operations and use those timing patterns to infer what other websites and applications are doing on your system. Instead of relying on cookies or traditional browser tracking methods, FROST turns your SSD’s behavior into a low-level website privacy exploit. By watching performance changes caused by multiple programs competing for the same storage, a site can build a fingerprint of your activity that persists across sessions. This FROST tracking technique highlights a new class of storage device security risks: attacks that need no malware, plug-ins, or elevated permissions, only JavaScript running in an ordinary browser tab.
How Websites Read SSD Activity Through Your Browser
FROST is a side-channel attack that exploits the Origin Private File System (OPFS), a browser feature that gives each site its own sandboxed storage area. When you visit a malicious or compromised page, its JavaScript script rapidly reads and writes OPFS data while timing how long each operation takes. Those timings change when other apps or browser tabs are also talking to the same SSD, a phenomenon called storage contention. Over time, these subtle delays form patterns that reveal when you open files, launch apps, or load particular sites. The attack runs entirely inside the browser; users do not need to install software or grant special permissions. According to the paper’s authors, this is the first demonstrated attack that uses OPFS timing from JavaScript to leak information about a victim’s wider system activity.
From SSD Timings to a Persistent Browser Fingerprint
Once a site can measure SSD response times, it can combine those readings with built-in browser storage features to create a unique fingerprint. Large OPFS files can be used as a kind of sensor, capturing timing traces across multiple visits. Together with other browser tracking methods, these traces distinguish your device from others based on how your SSD behaves under load. Because the fingerprint comes from low-level storage behavior rather than visible identifiers like cookies, ad blockers and privacy modes may not stop it. The same mechanism can also act as a covert communication channel, with two colluding pages signaling through intentional SSD contention. This makes FROST a powerful website privacy exploit, able to correlate sessions and devices even when users try to reset conventional identifiers.
Which Devices Are Affected and What FROST Cannot Do
FROST targets consumer systems that use SSDs or similar modern storage devices, including laptops and desktops where the browser’s OPFS directory shares the same drive as everyday applications. Website fingerprinting is particularly reliable here, because OPFS data normally lives where the browser is installed. Application fingerprinting, such as spotting which editor or office suite you use, may be weaker on setups that split workloads across multiple drives. The attack does not give direct access to your files, nor does it break browser sandboxing. It infers behavior from performance signals rather than reading content. Long-running measurements also require large OPFS files, which may consume noticeable disk space that attentive users could spot. Even with these limits, FROST shows that storage device security now belongs on the same list of threats as scripts, cookies, and fingerprinting.
Practical Steps to Reduce Your Exposure to FROST
Users cannot fully block FROST without browser or platform changes, but they can reduce practical risk. First, restrict which sites you trust with JavaScript, especially unfamiliar pages that ask to store large amounts of local data. Periodically clear site data and review how much storage each domain uses; unusually large entries may deserve scrutiny. Keep your browser updated so that any future mitigations, such as reduced timing precision or tighter OPFS limits, reach you quickly. Where possible, separate sensitive tasks from general browsing sessions, or even from the same device, so SSD contention leaks less about your most important activity. Finally, remember that this SSD tracking vulnerability operates below the level of normal privacy controls: combine traditional protections like tracker blocking with an awareness that your storage behavior can also become a fingerprint.
