Your SSD Is Leaking Data: New ‘FROST’ Attack Fingerprints Open Apps via Browser Storage
Table of Contents
The New Frontier of Browser Fingerprinting
For years, the battle for user privacy has centered on cookies, device fingerprinting, and keystroke logging. But a new research paper has unveiled a more insidious method of surveillance that bypasses traditional software sandboxes by targeting the physical hardware of the computer: the solid-state drive (SSD).
The technique, dubbed FROST (Fingerprinting Remotely using OPFS-based SSD timing), allows a malicious website to determine which other tabs you have open—even in different browsers—and which third-party applications are currently running on your device. It does this not by hacking into your OS, but by measuring the microscopic delays in how your hardware processes data.
How the ‘Contention Side Channel’ Works
FROST relies on what security researchers call a contention side channel. In simple terms, when multiple processes on a computer try to access the SSD simultaneously, they compete for the drive’s resources. This competition creates measurable latency—tiny delays in how long it takes for a specific read or write operation to complete.
The attack leverages the Origin Private File System (OPFS), a modern browser feature designed to give websites a dedicated, sandboxed storage area for complex tasks, such as running a web-based video editor or a full-fledged IDE. While the OPFS is logically isolated from the rest of the system, it still shares the same physical SSD hardware as every other app on your Mac or PC.
By using JavaScript to perform random reads from a massive file within the OPFS, a malicious site can create a baseline of SSD performance. When you switch to another tab or open a heavy application like Slack or Photoshop, the SSD’s response time shifts. FROST captures these timing traces and feeds them into a pretrained convolutional neural network (CNN). This deep-learning model can then classify the specific “signature” of that latency to identify exactly which application is causing the interference.
The Hardware Gap: M2 Macs and Linux
The researchers demonstrated the full FROST attack on a machine equipped with an Apple M2 chip, proving that the high-speed integration of Apple’s silicon doesn’t necessarily insulate users from timing attacks. While the full classification model wasn’t deployed on Linux, the team confirmed that the “underlying primitive”—the ability to measure SSD access latency via JavaScript—works just as effectively on Linux systems.
Hannes Weissteiner, one of the study’s co-authors, noted in an email that because the performance of these primitives is consistent across macOS and Linux, the full attack would likely be just as effective on those platforms. Essentially, if a system activity generates reliable SSD access, it can be fingerprinted.
The Practical Constraints of a Large-Scale Attack
Despite the sophistication of the attack, FROST isn’t a “silent killer” just yet. The researchers noted a significant bottleneck: for the attack to be accurate, the malicious site must allocate an extremely large OPFS file—typically a gigabyte or more.
In a real-world scenario, a website suddenly claiming a gigabyte of your disk space is a red flag that would likely trigger browser warnings or be noticed by the user. Furthermore, if a user has their applications installed on a separate physical SSD from their browser cache, the attack is neutralized, as the contention occurs on different hardware paths.
Mitigating the Risk
Currently, there are no reports of FROST being used in the wild, but the research is scheduled for presentation at the DIMVA conference in July, which typically prompts browser vendors to implement patches. The researchers suggest that browser makers could mitigate this vulnerability by capping the maximum size of OPFS files or introducing “noise” into the timing of I/O operations to mask the latency signatures.
For the average user, the most immediate defense is basic digital hygiene: closing unnecessary tabs and being cautious of unknown sites that request significant storage permissions. As browsers evolve into full operating systems capable of running complex software, the attack surface continues to expand, turning once-helpful features like the OPFS into potential surveillance tools.
