A new browser-based attack called FROST can reportedly identify which websites and apps are open on a victim’s computer by watching SSD timing patterns, and it does not need malware, extensions, or permission prompts. The trick is that the page itself does the spying: just opening a malicious site may be enough.
The browser attack comes from researchers at the Graz University of Technology in Austria and leans on ordinary JavaScript plus the Origin Private File System, a browser storage feature meant for legitimate web apps. Instead of breaking into the machine, the attack creates a huge file on the SSD, measures tiny access delays, and feeds those fingerprints into a neural network that tries to map them to specific sites and programs. Clean in theory, creepy in practice.
How FROST reads SSD timing signals
FROST works by turning storage activity into a side channel. When the browser writes and reads through OPFS, the page can observe micro-latencies caused by whatever else is touching the same drive, then infer which software is active from the resulting pattern. The researchers say the attack can even cross browser boundaries, so the spying page might run in Chrome while the target activity happens in Safari.
That is the part that makes this more than a lab curiosity. Browser security teams have spent years locking down obvious attack paths, but side channels keep slipping through the cracks because nothing is technically ”hacked” in the classic sense. The machine is simply telling on itself.
FROST accuracy on a Mac Mini and the storage footprint problem
In tests on a Mac Mini with an M2 chip, the system identified open websites with about 89% accuracy and apps with about 96% accuracy. Those are strong numbers for a passive browser attack, although the method is not exactly subtle: OPFS can reserve huge amounts of space, and the researchers say Chrome and Safari allow sites to reserve up to 60% of SSD capacity. On a 256 GB drive, that can mean 150 GB gone.
- Open sites detected with about 89% accuracy
- Open apps detected with about 96% accuracy
- Works through a normal browser page, not installed software
- Needs the target activity and OPFS data to sit on the same physical SSD
That last limitation matters. The attack is less convincing on multi-drive workstations, where the storage layout may break the signal it needs. In other words, FROST looks more dangerous on the kind of consumer laptop where people are least likely to notice a mysterious browser tab and most likely to ignore a storage warning.
Google, Apple and Mozilla have not rushed to fix it
The researchers reported the issue to Google, Apple and Mozilla, but none of them appears eager to call it an emergency. Google reportedly does not treat the technique as a full security vulnerability, Apple described it as outside its responsibility, and Mozilla is still reviewing the report. That response is familiar: if the attack does not look like a clean exploit, browser makers tend to file it under ”interesting” and move on.
The obvious defenses are equally familiar. Limit OPFS file sizes so they fit in memory, or require permission before a site can create such storage. Both would make life harder for attackers and slightly more annoying for web apps, which is usually how browser security progress works.
The bigger question is how long this class of browser attack keeps working before browsers clamp down on storage APIs by default. If the past is any guide, the answer is ”long enough for someone else to rediscover it with a different gadget.”