An Austrian security research team has disclosed a new no-click attack called FROST (Fingerprinting Remotely using OPFS-based SSD Timing) in a recent paper. It allows malicious websites to infer a user’s online activity in other tabs or browsers by analyzing the read/write timing of their solid-state drive (SSD), without requiring any software installation or tricking the user into clicking any links. The attack works as follows: the malicious website uses the browser’s OPFS (Origin Private File System) interface to write several multi-GB files to the SSD, thereby saturating disk bandwidth. At the same time, it leverages microsecond-level timing differences produced when other sites write temporary files to the disk. By analyzing this collected data with a machine learning model, the attack can guess which websites the user is visiting with 88.95% accuracy, and identify the local applications the user is running with 95.83% accuracy. Researchers conducted experimental validation on Mac and Linux devices, and noted that Windows devices are not immune either.
What makes this attack particularly alarming is its cross-browser nature: because the attack path operates at the operating system level via the SSD hardware, in theory, a malicious website running in Chrome could track a user’s browsing activity in other browsers, completely bypassing the browser’s sandbox isolation mechanism. Researcher Hannes Weissteiner stated, “In principle, any system activity that reliably generates SSD access can be used to train a model,” implying the attack surface extends far beyond just web browsing. There are currently no targeted browser patches available. The researchers advise users to immediately close the relevant tab after leaving a webpage to reduce risk; fundamentally fixing the vulnerability will require browser vendors or operating systems to implement bandwidth throttling for OPFS access.