FROST: how a regular website can use your SSD as a side channel to infer activity
A practical breakdown of FROST — a research attack that uses OPFS and SSD timing inside the browser. We explain what the authors actually showed, where the 88.95% number comes from, why this is not “reading files from your SSD”, what the privacy risks are, and what browsers, product teams, and users can do about it.
Short version
FROST sounds like a headline about an “SSD spying on you”. The reality is more technical and more interesting: the SSD does not send anything by itself, but the browser can create measurable I/O noise, and machine learning can extract patterns from it.
The simplest mental model is this: the attacker’s website does not ask “which website is open?”. Instead, it repeatedly asks the SSD a tiny question: “how fast are you responding right now?”.
OPFS gives the browser a file that really lives on disk
The Origin Private File System is private storage for a specific origin. It does not allow a website to read arbitrary local files, but it does let the site create and manage files inside sandboxed storage. For FROST, that is enough: the attack does not need access to other files, only controlled I/O operations. [1][2][3]
SSD contention creates a measurable signal
If another website or application creates disk activity at the same time, access time to the OPFS file can change. FROST collects those changes as a trace. One trace does not “tell the story”, but across many samples a pattern appears. [1]
The classifier predicts; it does not know absolutely
In website fingerprinting attacks, a model is trained on known websites and then compares a new trace with its training examples. That is why closed-world results should be read as “among this known set of candidates”, not “across the entire internet”. [1]
FROST turns access to an OPFS file into a sensor: the site creates I/O pressure, measures latency, collects a trace, and classifies activity against previously trained profiles.
Section how-it-works screenshotIn media coverage, 89% can quickly become a fear headline. For a technical assessment, the important parts are the metric, the scenario, and the limits of the experiment.
Closed-world means the model chooses from a known set of classes. If the test contains the top 50 websites, the prediction is roughly asking: “which of these 50 profiles does this trace look most like?”. On the open internet, the number of candidates, background activity, SSD model, operating system, browser, extensions, power mode, and user behavior all add noise.
That does not make the result weak. Quite the opposite: the impressive part of FROST is that it brings an SSD side channel into the browser without installing native malware. But a responsible reading of the paper should explain the threat model instead of selling a panic headline.
88.95%
F1 score for top-50 closed-world website fingerprinting on macOS using OPFS-based contention measurement. [1]
86.95%
Macro-averaged F1 score in the open-world top-50 scenario; the paper also reports open-world accuracy of 96.72%. [1]
95.83%
F1 score for the closed-world application fingerprinting experiment on macOS using OPFS. [1]
Understanding the threat correctly helps avoid two opposite mistakes: dismissing the research too quickly, or describing it as science-fiction spyware.
It is not proof that any website tomorrow will see your entire browser history with 89% accuracy. The result is tied to the experimental setup and to the classes the model was trained on. [1]
It is not a problem of only one browser. The paper discusses OPFS support across major browsers and covers Chrome, Firefox, and Safari, but specific capabilities and storage limits differ. [1]
A cookie blocker works against storage-based tracking, where a site directly stores or reads an identifier. Incognito mode reduces persistence between sessions. FROST belongs to a different class: the site measures the behavior of a hardware resource during the current session.
Think of it as the difference between “someone wrote your number in a notebook” and “someone is listening to noise through a wall to infer what is happening”. In the second case, deleting the notebook does not remove the sensor.
That is why privacy engineering for the modern web must include more than consent and storage policy. It also needs side-channel thinking: timers, shared resources, storage pressure, cache behavior, the rendering pipeline, GPU/CPU/SSD contention, and cross-origin isolation.
For everyday users, FROST is currently a research-grade threat rather than a mass exploit kit. But for browser platforms and products that make privacy claims, it is already a practical signal.
For browsers
The paper discusses mitigation options: detecting unusually large OPFS writes across origins, notifying users, limiting OPFS as a low-level I/O sensor, reducing timing precision, and introducing stronger permission or visibility models for high-impact storage behavior. The authors also note that the strongest mitigations may break legitimate workflows. [1]
For web products
If you are building a SaaS platform, financial dashboard, health portal, or internal tool, do not promise “complete privacy” just because you do not use third-party cookies. Privacy claims must account for browser platform leakage, third-party scripts, analytics, embedded content, and side-channel surface.
For users
Keep your browser and operating system updated, avoid opening random high-risk websites next to sensitive sessions, use separate browser profiles for banking, admin panels, and work, and limit extensions and third-party scripts. This is not a dedicated “FROST fix”, but it reduces the overall surface for browser privacy attacks.
For security teams
Add side-channel risks to threat modeling for web applications that heavily use storage APIs, WASM, high-frequency timers, workers, canvas/GPU, or local processing of large datasets. This is especially relevant for browser IDEs, editors, and offline-first products.
Side-channel defense rarely has a single switch. Part of the work belongs to browser vendors, part to product and security teams, and part to user discipline.
Section risk-defense-map screenshotEven if FROST never becomes a mass attack in this exact form, it clearly shows where the modern web risk surface is heading.
Do not reduce privacy to a cookie banner
Browser fingerprinting and side channels can work without traditional tracking identifiers. Your privacy position should cover data minimization, third-party dependencies, telemetry, and client-side behavior.
Review storage-heavy features separately
If your product uses OPFS, IndexedDB, local caches, or large offline datasets, add a security review specifically for storage behavior: quotas, cleanup, partitioning, observability, and user controls.
Set boundaries for third-party JavaScript
Every analytics, tag manager, chat, or widget script can execute code in the browser context. Even when it cannot access your backend secrets, it still affects the user’s privacy surface.
Build threat models at the platform level
A modern browser is an operating system inside an operating system. CPU, GPU, storage, timers, workers, codecs, fonts, and rendering can all become sensors. Threat modeling should acknowledge that.
Write honest UX and privacy messages
When a product says “we do not track you”, users hear an absolute promise. It is better to be specific: which data you do not collect, which scripts are present, how local storage works, how users can delete data, and where the limits of control are.
For landing pages and content-heavy websites, we keep the code static-first by default: less client runtime, fewer third-party scripts, and less unnecessary local storage. That does not make a website “immune to side channels”, but it removes many unnecessary moving parts that often appear without a real business reason.
For SaaS products and internal dashboards, the approach is different: storage APIs, auth flows, analytics, session handling, embedded widgets, and permissions need a dedicated security review. That is especially important for products handling financial, medical, legal, or corporate data.
Need a privacy or security review for your web product?
PAS7 Studio can review your frontend and runtime surface: third-party scripts, storage APIs, auth and session flows, analytics, CSP, headers, logs, and privacy claims. The result is not an abstract audit, but a practical list of product changes.
No. FROST does not give a website direct access to arbitrary local files. The attack uses OPFS for its own origin-scoped file and measures timing and latency to fingerprint activity. [1][3]
No. 88.95% is the F1 score from a top-50 closed-world website fingerprinting experiment on macOS. In the real world, results depend on the set of websites, background activity, operating system, SSD, browser, and noise. [1]
Incognito mode reduces cookie and storage persistence between sessions, but it is not a universal defense against side-channel measurements during the current session. This class of attack needs browser-level mitigations and reduced exposure to untrusted JavaScript.
Publicly, FROST is described as research work. Its importance is not that every website is already doing this, but that it shows a practical path from a web API to a hardware side channel without native malware. [1]
Minimize third-party scripts, keep the frontend static-first where possible, review storage-heavy features, write honest privacy claims, and add side-channel thinking to product threat modeling.
The main claims about FROST in this article come from the authors’ primary source paper. OPFS documentation is used to explain the API, not to evaluate the attack results.
• 2. FROST publication page — Graz University of Technology / authors’ project page
• 3. MDN: Origin private file system — browser storage model and OPFS overview
• 4. Chrome Developers: The origin private file system — OPFS use cases and web app storage behavior
• 5. WICG File System Access specification — origin private file system definitions
Related Articles
AI Assistant Development Cost in 2026: RAG Chatbots, CRM Integrations, Guardrails, and Support
A practical buyer guide to AI assistant development cost in 2026: prototypes, RAG chatbots, knowledge-base assistants, CRM and website integrations, guardrails, evaluations, monitoring, and support.
AI for landing page development: where it speeds up launches and where it hurts conversion
A practical research piece on using AI for landing page development: v0, Webflow AI, Builder.io, Framer-like builders, UX generation, copy, SEO, personalization, A/B testing, template risk, accessibility, security and technical debt.
AI SEO / GEO in 2026: Your Next Customers Aren’t Humans — They’re Agents
Search is shifting from clicks to answers. Bots and AI agents crawl, cite, recommend, and increasingly buy. Learn what AI SEO / GEO means, why classic SEO is no longer enough, and how PAS7 Studio helps brands win visibility in the agentic web.
The most powerful Apple chip yet? M5 Pro and M5 Max are breaking records
A data-backed March 2026 analysis of Apple M5 Pro and M5 Max. We break down why these chips can credibly be called Apple's most powerful pro laptop silicon, how they compare with M4 Pro, M4 Max, M1 Pro, M1 Max, and how they stack up against Intel and AMD laptop rivals.
Professional development for your business
We create modern web solutions and bots for businesses. Learn how we can help you achieve your goals.