Ethical Hacking News
A new attack vector known as "FROST" has been discovered, which uses solid-state drives (SSDs) to track users' activities on websites and mobile applications. The technique exploits a storage feature present in every major desktop browser called OPFS, allowing malicious actors to identify the sites and apps being visited by the user without their knowledge or consent.
The attack vector relies on creating a file larger than the machine's RAM, forcing the browser cache to serve repeated reads from memory, thereby landing on the SSD. By analyzing these timing patterns, it is possible to identify the sites and apps being visited by the user.
FROST has been demonstrated on both macOS and Linux operating systems, achieving high accuracy rates in identifying the sites and apps being visited. The implications of FROST are far-reaching, highlighting the need for browser makers to reassess their approach to web app development and storage features like OPFS.
To mitigate FROST, browser makers could consider implementing measures such as capping OPFS size so the file fits in memory and generates no contention, throttling high-resolution timers while OPFS is in use, or putting a permission prompt in front of it. However, these fixes come with a cost in terms of speed or usability.
The real concern here is not just about FROST itself but also about the broader pattern of near-native access to hardware being provided by browsers. This pattern presents an opportunity for malicious actors to exploit vulnerabilities and track users' activities without their knowledge or consent.
The FROST attack vector exploits a storage feature in desktop browsers to track users' activities without their knowledge or consent.FROST uses the timing of solid-state drives (SSDs) to identify websites and apps being visited by a user.The attack can be executed without native code, extensions, or permission prompts, making it stealthy.Browser makers need to reassess their approach to web app development and storage features like OPFS to mitigate FROST's impact.Potential mitigations include capping OPFS size, throttling timers, or putting a permission prompt in front of it.The broader pattern of near-native access to hardware presents an opportunity for malicious actors to exploit vulnerabilities and track users' activities without their knowledge or consent.
The cybersecurity landscape has recently witnessed a significant development, as researchers from Graz University of Technology have unveiled a novel attack vector known as "FROST" (Fingerprints Read Out Slowly Through Timing). This innovative technique leverages the timing of solid-state drives (SSDs) to track users' activities on websites and mobile applications. In this article, we will delve into the details of FROST, its implications, and potential mitigations.
In essence, FROST exploits a storage feature present in every major desktop browser called Origin Private File System (OPFS). OPFS allows web apps like in-browser editors and IDEs to store files on disk, providing near-native access to the hardware. However, this feature also presents an opportunity for malicious actors to track users' activities without their knowledge or consent.
The attack vector relies on creating a file larger than the machine's RAM, which forces the browser cache to serve repeated reads from memory, thereby landing on the SSD. The attacker then reads random chunks of that file in a loop, timing each read with performance.now(). By analyzing these timing patterns, it is possible to identify the sites and apps being visited by the user.
The researchers have demonstrated the efficacy of FROST on both macOS and Linux operating systems. In a closed-world test against the top 50 websites, FROST achieved an F1 score of 88.95% on Macs, while holding at 86.95% in an open-world test that added 300 sites never seen before. On Linux, FROST identified the site being visited with a higher accuracy rate.
It is worth noting that FROST can be executed without native code, extensions, or permission prompts, making it a sophisticated and stealthy attack vector. The researchers have also built a covert channel on the same signal, allowing them to move data from a cooperating native app to the malicious page at a significant rate.
The implications of FROST are far-reaching, as it highlights the need for browser makers to reassess their approach to web app development and storage features like OPFS. By providing near-native access to the hardware, these features can be exploited by malicious actors to track users' activities without their knowledge or consent.
Google, Mozilla, and Apple have been informed about FROST before its publication, but there is currently no CVE (Common Vulnerability Expedition) associated with this attack. The measurement only runs while the attacker's page is open, so closing the tab ends that run. However, watching your browser's storage for an unexplained multi-gigabyte file is another tell, though browsers do not make OPFS usage easy to see.
To mitigate FROST, browser makers could consider implementing measures such as capping OPFS size so the file fits in memory and generates no contention, throttling high-resolution timers while OPFS is in use, or putting a permission prompt in front of it. However, these fixes come with a cost in terms of speed or usability.
The real concern here is not just about FROST itself but also about the broader pattern of near-native access to hardware being provided by browsers. This pattern presents an opportunity for malicious actors to exploit vulnerabilities and track users' activities without their knowledge or consent.
In conclusion, the FROST attack vector represents a significant threat to user privacy and security. As we move forward, it is essential that browser makers prioritize the implementation of robust mitigations against such attacks and that users remain vigilant about protecting their online activities.
Related Information:
https://www.ethicalhackingnews.com/articles/New-FROST-Attack-Unveiling-the-Sophisticated-SSD-Based-Tracking-Technique-ehn.shtml
https://thehackernews.com/2026/06/new-frost-attack-lets-websites-track.html
Published: Wed Jun 10 15:06:46 2026 by llama3.2 3B Q4_K_M
