Skip to main content
TechnologyMay 28, 2026· 4 min read

FROST uses your SSD to spy on open sites in other tabs

Modern browsers now run full applications, from video editors to development environments, and to do this, they have gained increasingly direct access to the user's disk. It is precisely one of these functions that enables the latest attack devised by a group from Graz University of Technology: it is called FROST (Fingerprinting Remotely using OPFS-based SSD Timing) and allows a website to deduce which other sites and applications are open on the device by measuring pure JavaScript micro-variations in SSD access times. The peculiarity is that the measurement occurs entirely in the browser, without the native code that similar attacks have required so far.

The attack works as a drive-by: the victim simply needs to visit a malicious page and leave it open in the background while performing other activities. From that moment on, the code observes disk activity and reconstructs the sites visited in other tabs, even in a different browser, and the applications started on the system. No interaction or explicit permission is required.

The exploitation of contention for SSD access as a side channel had already been demonstrated by Juffinger and colleagues in Secret Spilling Drive, presented at NDSS 2025, with high accuracy in site recognition. However, that work relied on low-latency native interfaces like io_uring, and it was enough to limit access to neutralize it. The contribution of FROST is precisely the removal of that requirement: the same type of measurement is obtained from a browser tab, without privileges.

How SSD contention becomes measurable from JavaScript

The core of the attack is the Origin Private File System (OPFS), an isolated storage area that each site can create without asking for user confirmation. Because it is isolated from the rest of the system, OPFS requires fewer security checks than access to regular files, making it fast enough for measurements.

Researcher Hannes Weissteiner points out that researchers exploit a known property of operating systems: the page cache serves already read data in memory, masking the real disk times. To bypass it, FROST creates a file larger than the system memory, ensuring that every new access is forced to read from the SSD. At that point, the script performs random reads from that file and times each operation: when another activity uses the same disk, contention introduces measurable delays. The temporal traces collected are fed into a CNN neural network trained to recognize the signature of each site or application. To achieve high-resolution timers, the attacker sets COOP/COEP headers that enable cross-origin isolation.

Results, limitations, and responses from manufacturers

The metric used by researchers is the F1 score, a metric summarizing in a single value how accurate a classifier is, that is, how many of its predictions are correct, and how complete it is, how many real cases it can identify; the closer the value is to 100%, the better the result. On macOS, researchers report an F1 score of 88.95% in recognizing the top 50 sites in a closed-world scenario, dropping to 86.95% in an open-world scenario, and an F1 of 95.83% in recognizing applications. As a hidden channel, the attack reaches about 660 bits per second on Linux via OPFS, in line with the performance that the previous work achieved from native code.

The complete fingerprinting attack has been demonstrated on a Mac mini with an M2 chip. On Linux, researchers verified the base primitive, that is, the ability to measure SSD latencies from JavaScript, but did not perform the complete classification; Windows was not tested. The performance of the primitive is similar between macOS and Linux, and consequently, similar behavior is expected in classification as well.

There are some notable limitations: the OPFS file must be larger than the system’s RAM, meaning several gigabytes in total, an occupation that a user concerned about disk space might notice. Moreover, the spied activity must insist on the same disk as the measurement file, a condition that is almost always true on laptops with a single SSD, less so on workstations with more drives.

Researchers followed the practice of responsible disclosure, reporting their findings to Google, Mozilla, and Apple. The Chromium team responded that they do not consider fingerprinting attacks a security vulnerability; Apple considers the attack currently outside their scope, while leaving open the possibility for future mitigation; Mozilla acknowledged it without taking action. The countermeasure suggested by the authors is to limit the maximum size of OPFS files granted without explicit permission, so they fit in memory and do not trigger SSD access, although an attacker could circumvent this by distributing the file across multiple domains. Currently, there are no known uses of FROST in real attacks, and the presentation of the work is expected at the DIMVA conference in July.