I read about this a while ago and people then concluded that FROST is harder to exploit in real-world scenarios than in the lab. Still worth addressing and a fix shouldn't be too difficult, e.g. by adding small amounts of random latency to OPFS accesses. Firefox already does this with other APIs to make fingerprinting harder. Chromium doesn't because they love fingerprinting.

Honestly, I'm not thrilled with the OPFS model in general. Each page can randomly occupy part of your storage with you having no control over the process. You don't get asked. You can't even inspect the data. Even if it turns out to be useless for fingerprinting, the ability to use your storage invisibly with zero effort is not a power I want to hand out like candy in an environment that supposedly is assumed to be adversarial by default.

The only upside is that browsers do have a quota which is apparently shared between all instances of IndexedDB and OPFS. So the threat model of "use OPFS to fill up the user's entire storage" isn't plausible per se even if you have multiple tabs to attack with. Filling up the storage to evict other sites' stored data might actually work, though, and while it sounds like more of an annoyance, it might also become a step in some other attack.

Besides, quota size is entirely up to the browser; while Firefox uses 10% of total storage or 10 GB, whichever is lower, Chromium can in principle take up to 60% of total storage. When I tried, both a Firefox-based browser and a Chromium-based one had quotas of exactly 10 GB; I suspect that my distro's packagers configured the latter when the built the browser package.

Important to note that this has not been seen in the wild yet. From the article this article directly quoted (without attribution):

"The technique was published by security researchers at Graz University of Technology. There are currently no indications of it being actively used by ad networks or malicious actors." [emphasis mine]

So at this point it seems like when you read, "Company X unveils new fusion reactor" and it means a new design for one. You probably aren't being surveilled with this yet.

We now return you to your regularly scheduled dystopian panic mode.

The researchers responsibly disclosed FROST to Google, Apple, and Mozilla before publishing. The responses are worth reading carefully:

• Google said it does not consider browser fingerprinting to be a security vulnerability.

• Apple described the attack as “currently out of scope,” with possible mitigations in the future.

• Mozilla acknowledged the findings but has not implemented any fix.

In other words, the three companies that ship some of the world’s most-used browsers have collectively said “ok, not my concern”. 

Fingerprinting is treated as a known cost of doing business on the modern web, and a side channel that leaks tab and application data through a storage API is, apparently, not a fire worth putting out.

Oh wow ... stating this is just regular fingerprinting is out of touch.

Its like my electric energy supplier analyzing current data and knowing brand, model and type of dishwasher and fridge. Which they can.

So ifI run a hardened Firefox inside a docker container and spoof any identifying information and run no other tabs or programs, will that limit exposure?

The web is becoming unusable from so many sides.

A bit overstated. I'd be very skeptical about this being useful in a real world situation.

Something worth noting, but not to get too worked up over. Firefox will probably address it at some point.

Super interesting! Thanks for letting us know.