FROST: How Browsers Can Spy on Your SSD via JavaScript

New research called “FROST” shows that a web page can infer a user’s SSD activity without special permissions, simply by timing JavaScript calls that trigger reads. It exploits micro‑latency variations in SSD cache access measured via high‑resolution timers in modern browsers. The technique issues read requests to arbitrary paths via the File System Access API and records the elapsed time of each request. SSD latency changes with cache occupancy, so the timing pattern creates a fingerprint that can reveal which files have been accessed, even without direct data exfiltration, and can be executed without user interaction. This discovery raises privacy concerns: while no data is stolen, the side‑channel lets a site profile browsing habits, infer sensitive documents, or target users for surveillance, and could be combined with other telemetry to build detailed user profiles in real time, making it stealthy and hard to detect. Historically, side‑channel attacks targeted CPUs and networks, but SSDs store persistent data that can be queried indirectly. FROST extends earlier JavaScript timing attacks to storage, showing that web code can now indirectly monitor hardware behavior previously hidden from browsers and challenge the assumption that sandboxed browsers isolate applications from low‑level system metrics in real‑world deployments. In the future, browsers may limit high‑resolution timers and throttle file‑system read granularity, while users could rely on encrypted containers or drives with built‑in privacy. The emergence of SSD‑spying via JavaScript highlights a growing arms race between software isolation and hardware telemetry, urging both developers and regulators to rethink security boundaries and prompt new standards.