FROST shows how a website can read traces of SSD activity
FROST frames the SSD as a silent source of web attack traces.📷 AI-generated image / TECH&SPACE
- ★FROST uses OPFS as a side channel for measuring local SSD activity from the browser.
- ★Researchers claim the attack requires no user permission, click, or extension installation.
- ★This is a web security and privacy story, not a space story, because it concerns browsers, disks, and local data traces.
FROST is an uncomfortable reminder that browser privacy is not only about cookies, fingerprinting, and camera permission prompts. According to Tom's Hardware, researchers claim that the Origin Private File System can be used to measure SSD activity and infer which apps and websites a user is running.
OPFS is not an obscure add-on. It is part of the modern web platform, designed so websites can create and store files on a user's local disk in storage tied to their own origin. That is useful for offline tools, editors, local work files, and web apps that increasingly behave like desktop software. The problem begins when that same capability becomes a measuring device: the local disk is no longer just storage, but a source of timing traces.
That is why the FROST claim matters. If the reported attack works as described, it does not require user permission, extension installation, or meaningful interaction. A page using OPFS can attempt to observe patterns of disk behavior, and those patterns may reveal parallel activity: other websites, apps, or workflows that leave a recognizable rhythm of SSD access on the same machine.
Researchers claim an OPFS-based attack can infer which apps and websites you use without permissions or user interaction.
The OPFS sandbox becomes a measurement channel, not just local storage.📷 AI-generated image / TECH&SPACE
This is not the same as stealing files. Based on the available description, FROST does not mean a website can browse your disk like an open folder. The sharper risk is quieter: inference from behavioral metadata. In security terms, that is the classic difference between content and a side channel. The content remains closed, but timing, latency, or load measurements can still produce enough signal to reconstruct what is probably happening outside the browser tab.
For browser vendors, this is an awkward tradeoff. Web apps need richer local capabilities, and specifications such as the File System API keep moving the browser closer to an application runtime rather than a document viewer. But the closer a web app gets to native software, the larger the measurement surface becomes for resources that older browser security models did not necessarily treat as sensitive.
The regulatory and industry lesson is direct: users cannot meaningfully defend privacy against an attack that has no prompt, no visible permission, and no obvious security event. The response will have to come from browsers and standards work, possibly through reduced measurement precision, stronger isolation, or changes in how OPFS exposes local disk performance. FROST is a signal that the web platform has to treat local hardware as a source of private traces, even when an app is formally operating inside its own origin sandbox.
