How does FROST exploit the OPFS API?

FROST utilizes the Origin Private File System (OPFS) API to create large files, inducing SSD latency variations that can be analyzed to deduce user activity patterns.

What measures can mitigate the FROST attack?

Mitigation strategies include limiting OPFS file sizes, implementing permission prompts for OPFS usage, and enhancing browser defenses against side-channel attacks.

FROST Attack: A New Threat to User Privacy via SSD Timing

Discover how the FROST attack leverages SSD timing through JavaScript to monitor user activity without consent, and explore strategies to safeguard your privacy.

Published: June 9, 2026

Share this on:

Executive Summary

In June 2026, researchers from Graz University of Technology unveiled a novel side-channel attack named FROST (Fingerprinting Remotely using OPFS-based SSD Timing). This attack enables malicious websites to infer users' browsing habits and application usage by exploiting SSD access time variations through JavaScript, without requiring native code execution or user permissions. By leveraging the Origin Private File System (OPFS) API, attackers can create large files that induce measurable SSD latency changes when other applications or websites are accessed, allowing them to identify specific user activities with high accuracy. (tugraz.elsevierpure.com)

The FROST attack underscores the evolving landscape of web-based privacy threats, highlighting the potential for sophisticated side-channel attacks that operate entirely within the browser environment. As web applications become more complex and integrated with local system resources, the need for robust security measures to mitigate such vulnerabilities becomes increasingly critical.

Why This Matters Now

The FROST attack demonstrates a significant advancement in side-channel techniques, revealing that standard web APIs can be exploited to compromise user privacy without explicit consent. This highlights the urgent need for browser developers and security professionals to reassess and fortify existing defenses against such covert attacks.

Attack Path Analysis

A malicious website exploits the OPFS API to create large files on the user's SSD, enabling it to measure SSD read times and infer user activity. This technique allows the attacker to identify which websites and applications the user accesses without requiring native code execution or user permissions.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

High

Command & Control

High

Exfiltration

High

Impact

High

Initial Compromise

Description

The user visits a malicious website that utilizes JavaScript to exploit the OPFS API, creating large files on the user's SSD to measure read times.

Confidence:

High

MITRE ATT&CK® Techniques

Execution

T1059.007

JavaScript

Execution

T1203

Exploitation for Client Execution

Defense Evasion

T1497.003

Time Based Evasion

Discovery

T1217

Browser Information Discovery

Discovery

T1680

Local Storage Discovery

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure that all system components are protected from known vulnerabilities

Control ID: 6.4.3

The FROST attack exploits a vulnerability in the OPFS API, indicating a failure to protect system components from known vulnerabilities.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident highlights the need for a comprehensive cybersecurity policy that addresses emerging threats like side-channel attacks.

DORA – ICT Risk Management Framework

Control ID: Article 5

The FROST attack underscores the importance of implementing an ICT risk management framework to identify and mitigate risks associated with new attack vectors.

CISA ZTMM 2.0 – Data Protection

Control ID: 3.1

The attack demonstrates the necessity of robust data protection measures to prevent unauthorized access through side-channel attacks.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident emphasizes the need for entities to adopt appropriate cybersecurity risk management measures to address vulnerabilities exploited by the FROST attack.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

FROST attack enables websites to track financial applications and sites accessed via SSD timing, compromising client confidentiality and regulatory compliance requirements.

Health Care / Life Sciences

Patient privacy at severe risk as malicious sites can track healthcare applications and websites through JavaScript-based SSD timing attacks without permissions.

Computer Software/Engineering

Software development environments vulnerable to intellectual property theft as FROST attack tracks accessed development tools and repositories via SSD contention monitoring.

Legal Services

Attorney-client privilege threatened by FROST's ability to monitor legal research platforms and case management applications through browser-based SSD timing analysis.

Sources

New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timinghttps://thehackernews.com/2026/06/new-frost-attack-lets-websites-track.html
Verified

Researchers say they can spy on your browsing by measuring SSD activity through a browser APIhttps://www.tomshardware.com/tech-industry/cyber-security/researchers-say-they-can-spy-on-your-browsing-by-measuring-ssd-activity-through-a-browser-api

Verified

FROST Side-Channel Attack Spies on Mac Browsing via SSD Latencyhttps://pccentral.net/frosted-side-channel-attack-spies-mac-browsing-ssd-latency/

Verified

Frequently Asked Questions

FROST is a side-channel attack that allows malicious websites to infer users' browsing and application activities by measuring SSD access times via JavaScript, without requiring native code or user permissions.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it can limit the attacker's ability to exploit the OPFS API for inferring user activity by enforcing strict segmentation and controlled egress policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to exploit the OPFS API may be constrained by enforcing strict segmentation policies that limit unauthorized access to sensitive APIs.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's scope may be limited by enforcing segmentation policies that prevent unauthorized access beyond the browser environment.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's ability to move laterally may be constrained by enforcing east-west traffic controls that limit unauthorized internal communications.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish covert channels may be limited by implementing visibility and control measures that detect and restrict unauthorized data flows.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's ability to exfiltrate data may be constrained by enforcing egress policies that monitor and control outbound data flows.

Impact (Mitigations)

The attacker's ability to compromise user privacy may be limited by implementing comprehensive security controls that monitor and restrict unauthorized data access and exfiltration.

Impact at a Glance

Affected Business Functions

User Privacy
Data Security
Regulatory Compliance

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Potential exposure of user browsing habits and application usage patterns.

Recommended Actions

• Implement browser-level restrictions on the OPFS API to prevent unauthorized file creation and access.
• Enhance browser security features to detect and block side-channel attacks exploiting hardware timing variations.
• Educate users about the risks of visiting untrusted websites and the potential for side-channel attacks.
• Develop and deploy browser patches that mitigate the ability to measure SSD read times through JavaScript.
• Collaborate with hardware manufacturers to design SSDs that are less susceptible to timing-based side-channel attacks.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

FROST Attack: A New Threat to User Privacy via SSD Timing

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

JavaScript

Exploitation for Client Execution

Time Based Evasion

Browser Information Discovery

Local Storage Discovery

Potential Compliance Exposure

PCI DSS 4.0 – Ensure that all system components are protected from known vulnerabilities

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Data Protection

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Financial Services

Health Care / Life Sciences

Computer Software/Engineering

Legal Services

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads