Researchers have uncovered a new web tracking method that bypasses privacy protections in most modern browsers. The attack, named Frost, does not rely on cookies or fingerprinting scripts that ad-blockers usually catch. Instead, it abuses a core part of how computers manage temporary power states.
The team behind the discovery warns that Frost works on all major operating systems, this includes Windows, macOS, Linux, ChromeOS, and even mobile platforms like Android and iOS. The attack makes a website act like a spy. It can follow you from one site to another without leaving the usual digital traces that privacy tools look for.
How Frost uses your CPU’s sleep mode to break privacy
Modern processors enter low-power states when idle. This saves energy and preserves battery life. Frost manipulates these sleep states to create a unique identifier for your machine. A malicious website runs a tiny script in the background. That script forces the CPU to switch rapidly between active and idle modes. Each processor responds slightly differently due to manufacturing variations.
The website records how long each cycle takes. These tiny timing differences become a signature. Think of it like a fingerprint made from your CPU’s behavior during sleep. Even if you delete all cookies or turn on a VPN, this signature stays the same.
According to a recent report, attackers can link this signature across multiple websites. That means a news site you visit in the morning and a shopping site you visit at night can confirm it is the same person.
You cannot block this attack with standard privacy extensions. Popular tools like Privacy Badger or uBlock Origin do not currently detect Frost, the script does not look malicious. It simply asks the processor to do normal power management tasks. The research team has tested Frost against Chrome, Firefox, Safari, and Edge. Every browser allowed the attack to run without any warning messages.
Why browsers and operating systems cannot stop frost yet
Browser developers face a hard problem here. Stopping Frost would require changing how the operating system exposes CPU timing data. That change could slow down legitimate web applications.
Accurate timing is critical to online games, video editing, and collaborative tools functioning correctly, according to security experts. This is a trade-off between privacy and performance.
The researchers have contacted Google, Apple, Microsoft and Mozilla with their findings, but none of the companies have issued a patch yet. A temporary fix for the timing issue is disabling the high-resolution timer setting within your browser. However, this breaks many websites.
Ordinary users cannot easily defend against Frost right now. Using a combination of a VPN and the Tor Browser reduces some risk. Tor Browser disables many timing APIs by default. But even Tor cannot fully eliminate timing-based attacks.
Parents concerned about online safety should also consider game content. Is Poppy Playtime safe for kids? explores the popular horror game’s appropriateness for younger audiences.
The research team suggests that browser makers must eventually introduce random noise into timing measurements. That noise would prevent attackers from getting the precise data they need to build a signature.
The bigger picture for online privacy
Frost represents a shift in tracking methods. For years, developers played a cat-and-mouse game with cookies and canvas fingerprinting, and privacy laws like GDPR and CCPA made those older methods harder to use. Attackers now look deeper into hardware. They abuse features designed for efficiency and convenience.
This discovery arrives as more people rely on privacy tools. A last year survey showed that nearly 80% of respondents feel they have little control over their data, Frost proves those feelings correct. You can install every blocker and still get tracked. The only complete solution involves changing the processor designs themselves. That will take years.
Until then, stay careful about which websites you trust. Avoid keeping multiple tabs open from unknown sources. The Frost attack works best when a user visits several sites that cooperate with each other.
Security researchers expect more hardware-based tracking methods to appear in the near future. Each new discovery makes the web a little less private for everyone.
