In brief: FROST exploits disk latency measurements via the OPFS API and machine learning to remotely identify user tabs and programs, fundamentally compromising browsers’ security model.
Security researchers have demonstrated a side-channel attack called FROST that can determine via normal JavaScript in the browser which other websites and local applications a user is running in parallel — without the user noticing.
The FROST method (Fingerprinting Remotely using OPFS-based SSD Timing) exploits physical access patterns on solid-state drives to deliberately reconstruct user activities outside the active browser window. An international security research team documents a new class of attacks in which a malicious website runs in the background and continuously collects disk latency data.
The procedure is based on a contention side-channel: the JavaScript code measures access patterns on the Origin Private File System (OPFS), an isolated virtual storage area that browsers provide to each website. When tabs are refreshed in parallel or local applications are launched, characteristic input and output accesses occur on the SSD. These create measurable latency differences that the attacker detects via high-frequency read accesses to large OPFS files.
To draw concrete conclusions from these time measurements, the researchers train a convolutional neural network on latency profiles of various websites and applications. The trained model can then classify new latency patterns and identify which programs are running — a completely passive method that requires no user interaction.
Unlike classical hardware side-channel attacks, FROST operates entirely within standardized browser APIs. The Origin Private File System is sandbox-isolated and provides JavaScript no direct access to the operating system or files of other programs. Nevertheless, the timing variations are sufficient to create a meaningful activity profile and thus break browser isolation — a discovery that calls the trust model of modern browsers into question.
Source: www.it-daily.net · Published June 6, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.