Security researchers have disclosed a new browser-based side-channel attack called FROST that allows malicious websites to infer details about a user's hard drive using only standard JavaScript, with no special permissions or downloads required.
The technique exploits subtle timing differences in how modern solid-state drives respond to data requests. When a browser issues file read operations, an SSD responds slightly faster if the requested data is already in its onboard cache. By carefully timing these microsecond-level variations through JavaScript performance APIs, an attacker builds a statistical fingerprint of what is likely stored on the device.
Researchers tested FROST across multiple browsers on Windows and Linux systems with NVMe SSDs and found it effective even within standard browser security sandboxes. No user interaction is required — simply loading a page with the malicious script is enough to begin collecting drive-activity data.
The practical threat is real: an attacker who determines that a target machine has a specific enterprise security tool, antivirus package, or configuration file installed can craft more precise follow-on exploits. In high-value targeting scenarios, such as corporate espionage or nation-state intrusions, FROST-style reconnaissance helps attackers decide whether a target machine is worth pursuing and what defenses it has in place.
Mitigating FROST is technically difficult. The attack leverages performance timing APIs that power legitimate web profiling tools and cannot simply be removed without breaking other functionality. Browser vendors including Google, Mozilla, and Microsoft have been notified and are evaluating countermeasures such as adding artificial jitter to high-resolution timer outputs and imposing stricter performance sandbox rules. Some partial mitigations exist in recent Chrome and Firefox builds but may not fully block FROST in its current form.
The disclosure follows a broader pattern of side-channel attacks emerging from academic and security research. Spectre and Meltdown showed in 2018 that CPU caching features could be weaponized against users. FROST suggests that storage hardware is the next frontier for this class of attack, and browser vendors will need to move quickly to stay ahead of exploit development.
Why It Matters
Enterprise security teams should treat browser hardening as a core endpoint defense requirement, not an afterthought. Organizations handling sensitive data should monitor patch releases from Google, Mozilla, and Microsoft closely, evaluate whether timer API restrictions can be enforced through group policy, and add storage-side-channel reconnaissance to their active threat modeling frameworks.
Source: Wired, June 1, 2026