Back

New FROST Attack Reveals SSD Activity, Compromising User Privacy

Severity: High (Score: 61.5)

Sources: Rss.Slashdot, Gbhackers, Cybersecuritynews, Feeds2.Feedburner, Mezha.Ua

Published: 2026-05-28 · Updated: 2026-05-29

Keywords: their, websites, malicious, exploit, timing, signals, activity

Summary

Researchers at Graz University of Technology have unveiled a side-channel attack named FROST, which allows malicious websites to monitor users' SSD activity and identify open websites and applications with up to 89% accuracy. This attack exploits the Origin Private File System (OPFS) through JavaScript, requiring no special permissions or user interaction beyond visiting an infected site. The method measures SSD access latency to infer user activity, functioning across different browsers. Major tech companies, including Google and Apple, have been informed, but responses vary, with Google not classifying it as a vulnerability. The attack primarily affects users on Mac systems, with limited testing on Linux and no testing on Windows. The significant file size requirement for the attack poses a practical barrier, as users would likely notice large storage consumption. Recommendations include limiting OPFS file sizes or requiring user consent for file creation. Key Points: • FROST attack can identify visited websites with 89% accuracy using SSD timing. • The attack operates entirely within the browser using JavaScript and OPFS. • Current defenses are lacking, with major browsers not implementing fixes yet.

Detailed Analysis

**Impact** Users of modern browsers on devices with SSD storage, particularly Mac systems with M2 chips, are affected by this attack. The method can identify visited websites with up to 89% accuracy and open applications with up to 96% accuracy, compromising user privacy across sectors and geographies where such devices and browsers are used. The attack requires only a visit to a malicious website, potentially exposing browsing habits and application usage without user consent. No specific industry or geographic targeting was reported. **Technical Details** The attack vector is a browser-based side-channel exploiting the Origin Private File System (OPFS) API via JavaScript to measure SSD access latency. The technique, called FROST, uses large OPFS files to force SSD reads and detect latency spikes caused by other active processes, analyzed through a pretrained convolutional neural network. It operates entirely within the browser sandbox without requiring kernel privileges or native code. Tested on an M2 Mac Mini with 8 GB RAM and a 256 GB SSD, the attack works across browsers (Chrome, Safari) and can detect activity even in other browsers. No CVEs or malware were identified, and Windows was not tested. **Recommended Response** Limit the maximum size of OPFS files to prevent attackers from creating large files that force SSD reads, or require explicit user permission for OPFS file creation. Monitor for unusual disk space consumption and anomalous OPFS file activity in browsers. Browser vendors should consider restricting or auditing OPFS API usage and implement mitigations to reduce timing side channels. At present, no patches or specific detections are available; defenders should monitor for related suspicious browser behavior.

Source articles (5)

  • Websites Have a New Way To Spy On Visitors: Analyzing Their SSD Activity — Rss.Slashdot · 2026-05-28
    An anonymous reader quotes a report from Ars Technica: Now sites have a new way to spy on their visitors: measuring subtle interactions with their solid-state drives. The technique, named FROST (finge…
  • Malicious Websites Exploit SSD Timing Signals to Monitor Visitor Activity — Gbhackers · 2026-05-28
    Malicious websites can now exploit subtle SSD timing signals in modern browsers to quietly track what users are doing on their devices, including which sites and apps they open, using a new side‑chann…
  • Malicious Websites Track Visitors by Analyzing their SSD Timing Activity — Cybersecuritynews · 2026-05-28
    Malicious websites can track visitors by measuring tiny changes in SSD access times, turning normal browser activity into a privacy leak. Researchers showed that a JavaScript attack can use the browse…
  • Remote monitoring of SSD activity can reveal visited websites with up to 89% accuracy — Mezha.Ua · 2026-05-29
    Security researchers at Graz University of Technology (Austria) have described a side-channel attack that allows a malicious website to identify other sites and applications opened by a visitor by mea…
  • Websites can spy on user activity by analyzing SSD behavior — Feeds2.Feedburner · 2026-05-29
    Websites have spent years collecting information visitors through browser fingerprinting, tracking scripts, and other techniques designed to identify devices and monitor behavior. Researchers have dem…

Timeline

  • 2026-05-28 — FROST attack details published: Researchers disclosed the FROST attack method, revealing its ability to track user activity via SSD timing.
  • 2026-05-28 — Research findings shared with major tech companies: The research team informed Google, Apple, and Mozilla about the FROST attack, receiving varied responses regarding its severity.
  • 2026-05-29 — Public awareness of FROST attack grows: Multiple cybersecurity news outlets report on the FROST attack, highlighting its implications for user privacy.

Related entities

  • Data Breach (Attack Type)
  • Austria (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • T1059.007 - JavaScript (Mitre Attack)
  • T1189 - Drive-by Compromise (Mitre Attack)
  • Chrome (Tool)
  • Convolutional Neural Network (Tool)
  • Safari (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed