Loading...
Loading...
Researchers have demonstrated FROST, a browser-only side-channel attack that leverages the Origin Private File System (OPFS) and SSD timing to infer what sites and applications a user has open. JavaScript can create large OPFS files and perform random reads to measure I/O contention; timing traces fed to a pretrained convolutional neural network enable fingerprinting across tabs and even different browsers without user interaction. Practical limits—needing gigabyte-scale OPFS allocations on the same physical SSD and potential detectability—constrain mass exploitation, but the work exposes new privacy risks in browser storage APIs and calls for mitigations from browser, OS, and SSD vendors.
FROST shows that web pages can exploit browser storage APIs and SSD timing to fingerprint user activity across tabs and browsers, raising new privacy and security concerns for web developers and platform designers. Tech teams must reassess threat models around client-side storage, I/O isolation, and browser API permissions to mitigate covert timing channels.
Dossier last updated: 2026-06-01 09:46:38
Researchers detailed FROST, a new browser-based side-channel attack that uses JavaScript and the Origin Private File System (OPFS) to measure subtle SSD I/O timing and infer which websites or apps a visitor has open. FROST runs entirely in-browser: a site creates a large OPFS file, performs random reads to observe SSD contention caused by other processes, and feeds timing traces into a pretrained convolutional neural network to classify activity. The attack requires no user interaction and can fingerprint activity across tabs and browsers, but needs very large OPFS files (on the order of gigabytes) and the file must reside on the same SSD, limiting stealth and scalability. The work raises new privacy and browser design concerns for web storage APIs and OS-level isolation.
Researchers introduced FROST, a browser-based side-channel attack that uses JavaScript and the Origin Private File System (OPFS) to measure SSD I/O contention and infer which websites and applications a user has open. By performing large random reads from an OPFS file and feeding timing traces into a pretrained convolutional neural network, attackers can classify user activity across tabs and even different browsers without user interaction. FROST’s requirements—an OPFS file likely gigabytes in size stored on the same SSD—limit stealth and large-scale deployment, and apps on separate drives may evade detection. Mitigations include closing unused tabs, monitoring large OPFS allocations, and platform-level fixes to reduce timing leakage.
Researchers disclosed FROST, a browser-only side-channel attack that uses JavaScript and the Origin Private File System (OPFS) to measure SSD I/O contention and infer which sites and apps a visitor has open. By performing large random reads against an OPFS file and feeding timing traces into a pretrained convolutional neural network, an attacker can fingerprint activity across tabs and even other browsers without user interaction. FROST’s constraints include requiring a very large OPFS file (likely gigabytes), storage on the same SSD as target apps, and detectable storage usage at scale. The finding highlights new privacy risks from browser storage APIs and raises mitigation needs for browser vendors and SSD/OS designers.
Researchers disclosed FROST, a browser-only side-channel attack that uses JavaScript and the Origin Private File System (OPFS) to measure SSD I/O contention and infer which websites and apps a visitor has open. By creating large OPFS files and performing random reads, the attacker records latency traces and feeds them to a pretrained convolutional neural network to classify user activity across tabs and even different browsers, with no user interaction required. Limitations include the need for very large OPFS files (likely gigabytes), storage on the same physical SSD, and potential detectability at scale. The finding highlights a new privacy threat in modern browser storage APIs and raises questions for browser vendors and web security defenses.