New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing

A malicious website can work out which sites you visit and which apps you open, using nothing but JavaScript and the timing of your SSD. The attack, called FROST, needs no native code, no extension, and no permission prompt. You open the page, leave the tab sitting there, and it watches the drive for contention in the background. Researchers at Graz University of Technology built it and

According to the report, the FROST attack allows a malicious website to infer which other websites a user visits and which local applications they open by using only JavaScript and measuring SSD I/O contention and timing, without any extensions, native code, or permission prompts.[1][2] Researchers at Graz University of Technology demonstrate that by passively observing storage slowdowns and using techniques like the browser Origin Private File System (OPFS), an attacker can fingerprint user activity with notable accuracy.[1][2] From a CyberSE.AI perspective, this creates a stealthy side-channel for cross-tab and cross-app behavioral tracking that could expose sensitive browsing patterns or app usage of users interacting with AI agents in the browser, enabling correlation of identities, session hijack targeting, or deanonymization. Practically, organizations deploying browser-based AI agents should assume that co-resident malicious tabs may infer user behavior and possibly sensitive workflow patterns; they should harden browser security baselines, monitor for anomalous long-lived tabs, and consider isolating high-sensitivity AI workflows to dedicated browser profiles or hardened en