How the FROST Attack Works
Researchers at Graz University of Technology have developed a new side channel attack that allows a malicious website to track which other sites and applications a user is running. Named FROST, the technique requires no special permissions, no native code installation, and no browser extensions. It works by exploiting the Origin Private File System (OPFS), a browser storage feature introduced in 2023 for web applications like online editors and IDEs.
The attack leverages SSD timing measurements to detect drive contention. When a user visits a malicious page, the page writes a file larger than the system’s available RAM to the OPFS. Because the operating system cannot cache the entire file in memory, subsequent read operations must access the SSD directly. By measuring how long these reads take, the attacker can infer when other processes are also using the drive, revealing which sites or apps are active. On Chrome and Safari, OPFS can use up to 60% of available disk space, making it easy to create files large enough to defeat the page cache. Firefox has a lower per origin limit, but an attacker can bypass this by distributing the file across multiple origins.
Impact and Scope
The FROST attack represents a significant evolution in side channel techniques because it operates entirely within the browser sandbox. Previous research from the same group, including the SnailLoad attack that inferred browsing activity from network latency, required either native code execution or lower level system access. FROST eliminates those barriers, turning what was a local attack into one that can be executed remotely by any website the user visits.
The attack works on both macOS and Linux systems and affects all major desktop browsers. While the timing channel provides only coarse grained information about which applications or sites are being used, the researchers note that this still represents a serious privacy concern. The attack requires the user to keep the malicious page open in a background tab for several minutes to collect enough timing data. The research is scheduled for presentation at the DIMVA 2026 conference.
Source: The Hacker News
