FROST fingerprinting – Security researchers say a new technique called FROST can let a malicious website figure out which other sites and apps you have open—just by you visiting a page. It works through a browser feature tied to OPFS and SSD timing, and tests on an Apple M2 Mac repo
The terrifying part isn’t that you clicked anything.
It’s that you didn’t have to.
Security researchers say a malicious website can learn which other sites and apps you have open simply by having you visit an attacker’s page. No downloads. No prompts. No permissions. Nothing to “agree to.”
The technique is called FROST—short for Fingerprinting Remotely using OPFS-based SSD Timing. It turns a quiet browser capability into a privacy shortcut.
FROST relies on a browser feature called Origin Private File System, or OPFS. OPFS lets websites store files on your local drive without asking permission first. The researchers describe how the attacker’s page creates a large file on your drive. then listens to tiny speed fluctuations as the SSD becomes busy handling other tasks.
Those fluctuations are fed into an AI model trained to recognize the telltale patterns of specific websites and apps.
In testing—on an Apple M2 Mac—the researchers report the technique correctly identified which websites a person had visited with about 89% accuracy. and which apps were running with about 96% accuracy. The same attack can also run across different browsers at the same time. In practice, that means visiting the attacker’s page in Chrome can still expose what you’re doing in Safari.
The browser makers won’t fix this, not right away. The article says Google, Apple, and Mozilla were informed, but none have committed to a fix.
For now, the most immediate stopgap is simple: close the tab. FROST has not been spotted in the wild yet, which keeps this threat in the “emerging” category for the moment. But the technique only works while the offending tab is open—closing it immediately stops the attack.
There are also broader signs to watch for. The recommended defense right now is keeping an eye on available disk space. A sudden, unexplained drop in storage is described as a red flag worth investigating immediately.
Browser-level defenses have been discussed, including capping how much disk space OPFS can claim. But given the lack of commitment from Google, Apple, and Mozilla, browser-level changes aren’t expected “any time soon.”
And the uncomfortable takeaway is that your browsing privacy may not depend only on your settings. In this case, it may also depend on how quickly you shut the tab after the page loads.
FROST OPFS SSD timing fingerprinting browsing privacy Apple M2 Mac malicious website browser tracking cybersecurity researchers disk space warning