Researchers Reveal FROST: Browser‑Based SSD Timing Attack Enables Websites to Spy on User Activity
What Happened – Researchers have demonstrated “FROST” (Fingerprinting Remotely using OPFS‑based SSD Timing), a side‑channel attack that lets a website infer which applications and sites are active on a visitor’s machine by measuring SSD contention through the browser’s Origin Private File System (OPFS). The attack runs entirely in JavaScript; no malware, extensions, or elevated privileges are required.
Why It Matters for TPRM –
- Reveals a new privacy‑risk vector that can expose proprietary SaaS usage patterns of your customers.
- Highlights the need to reassess browser‑based security controls in third‑party risk assessments.
- May affect compliance regimes that require strict data‑handling guarantees for end‑user devices.
Who Is Affected – Technology/SaaS providers, enterprises using web‑based productivity suites, cloud‑hosted applications, and any organization whose users access critical services via modern browsers.
Recommended Actions – Review vendor security questionnaires for browser hardening measures, validate that OPFS usage is monitored and limited, consider deploying browser isolation or content‑security policies, and stay informed of upcoming browser patches addressing OPFS side‑channel mitigations.
Technical Notes – FROST exploits timing differences caused by SSD contention when multiple processes access storage. It leverages OPFS, a sandboxed file system introduced in Chromium‑based browsers, to perform high‑resolution timing measurements from JavaScript. No known CVE yet; mitigation includes limiting OPFS file size, monitoring disk usage, and applying browser‑level throttling of storage APIs. Source: Help Net Security