Full Report
A malicious website can work out which sites you visit and which apps you open, using nothing but JavaScript and the timing of your SSD. The attack, called FROST, needs no native code, no extension, and no permission prompt. You open the page, leave the tab sitting there, and it watches the drive for contention in the background. Researchers at Graz University of Technology built it and
Analysis Summary
# Vulnerability: FROST (Flash-Resident Origin Side-channel Tracking)
## CVE Details
- **CVE ID:** None Assigned (As of June 2026, major browser vendors have not categorized this as a security vulnerability requiring a CVE).
- **CVSS Score:** N/A
- **CWE:** CWE-1203 (Inadvertent Information Leak and Side-Channel Analysis)
## Affected Systems
- **Products:** Major desktop web browsers including Google Chrome (Chromium), Apple Safari (WebKit), and Mozilla Firefox.
- **Versions:** Browsers supporting the Origin Private File System (OPFS) API (generally available since 2023).
- **Configurations:** Systems where the browser, operating system, and applications reside on the same Solid State Drive (SSD). The attack specifically targets macOS and Linux environments.
## Vulnerability Description
FROST is a microarchitectural side-channel attack that exploits disk contention on SSDs. It utilizes the **Origin Private File System (OPFS)**, a web API designed to provide high-performance storage for web applications without user permission prompts.
By creating a file larger than the system's RAM, the attacker bypasses the OS page cache, forcing the browser to read directly from the physical SSD. The attacker then measures the latency of these reads using `performance.now()`. When a user launches an app or visits another website, the resulting disk I/O creates contention, slowing down the attacker's reads. By analyzing these tiny timing fluctuations with a neural network, the attacker can "fingerprint" and identify specific applications or websites based on their unique disk-access patterns.
## Exploitation
- **Status:** Proof of Concept (PoC) available; demonstrated by researchers at Graz University of Technology. No evidence of exploitation in the wild.
- **Complexity:** High (Requires sophisticated timing analysis and pre-trained machine learning models).
- **Attack Vector:** Network (Remote via malicious website).
## Impact
- **Confidentiality:** Medium/High (Breach of user privacy; allows tracking of browsing history and local application usage).
- **Integrity:** None.
- **Availability:** None.
## Remediation
### Patches
- **No official patches available.** Browser vendors (Google, Apple, Mozilla) have acknowledged the research but have not yet implemented technical fixes.
### Workarounds
- **Close Suspect Tabs:** The timing channel is only active while the malicious page is open in the browser.
- **Isolate Storage:** Using separate physical drives for the operating system/applications and the browser's profile directory can mitigate the contention signal, though app startup leaks may still occur.
- **Browser Extensions:** Some security-focused extensions that further jitter or blur high-resolution timers may increase the difficulty of the attack.
## Detection
- **Indicators of Compromise:** High volumes of read/write activity to the browser's Origin Private File System storage without a clear user-initiated reason (e.g., a simple news site using gigabytes of disk space).
- **Detection Methods:** Monitoring for sustained calls to `performance.now()` in conjunction with heavy OPFS API usage.
## References
- **Research Paper:** hxxps[://]hannesweissteiner[.]com/pdfs/frost[.]pdf
- **Technical Coverage:** hxxps[://]thehackernews[.]com/2026/06/new-frost-attack-lets-websites-track[.]html
- **Related Research:** hxxps[://]www[.]ndss-symposium[.]org/ndss-paper/secret-spilling-drive-leaking-user-behavior-through-ssd-contention/