Overview
- Researchers at Graz University of Technology published the FROST paper in late May describing a proof‑of‑concept that runs in a standard browser and was shared with major browser vendors before publication.
- The team ran the full attack on an M2 Mac Mini and reported about 89% accuracy for identifying websites and about 96% accuracy for identifying running applications on that testbed.
- FROST forces reads from a very large Origin Private File System (OPFS) file so accesses hit the SSD rather than RAM, and the timing of those reads reveals storage contention caused by other software on the same physical drive.
- The attack works across different browsers because it measures storage‑level contention rather than browser internals, but it requires gigabytes of OPFS storage that exceed system memory and must be placed on the same SSD, which limits stealth and scale.
- Browser makers have been notified but have not committed to fixes, the researchers proposed mitigations such as capping OPFS file sizes or requiring permission for large allocations, and the team will present the work at the DIMVA conference in July.