Tracking your Browser History, with CSS

A rather scary experiment for anyone who values their privacy.

http://www.making-the-web.com/misc/site ... isit/nojs/

It actually works pretty simply - it is simpler than the JS implementation. All it does is load a page (in a hidden iframe) which contains lots of links. If a link is visited, a background (which isn't really a background) is loaded as defined in the CSS. The background image will log the information, and then store it (and, in this case, it is displayed to you).

I noticed Ozzu pretty high up in the list of websites I've visited on the example, I wonder which one of you guys put this little experiment together.

Scary stuff! I wonder where they got that incredibly huge list of sites from - it even found some relatively obscure sites in my history.

I am a bit, but slow at this. What exactly happens when I visit the site? I kept hearing "click.. click.. click.." is my history folder being (IE) recorded"?

The way it works is actually quite simple, (an amazing idea nevertheless) as explained on the site and quoted by joe. Basically there's a page with lots of links to common websites, and if a link is already visited, it loads a special "background image" using CSS, which is actually a server-side script that updates a page containing your list of visited websites. The "click" that you hear is IE reloading this page periodically.

Technically, no.

If you've ever played the card game "Go Fish" as a kid, this works on the same idea.
Basically the attacker would know things that could be in your history folder and your browser inadvertently says yes or no each time the attacker asks "Have you been to this address?".

What is the purpose of the attacker knowing the websites I have been to?

Thanks, Joe, it is clearer now.

Thanks, Casablanca.

I have no idea.

A few things I would use this for though,
1) Screening non-browser based bot traffic
2) Another confirmation as to whether a visitor actually visited a TOS when they claim not to have
3) To see if visitors have already visited my competitors

I'm sure I could think of more.

You are right, Joe. It is Privacy intrusion, sort of like.

Being just a demo, I don't think it has immediate implications, but it just goes to show how "secure" our browsers are.

How would you feel if I used this trick to find out if you've been shopping around at my competitors site already, and if you have, make a request in the background to find out what that competitor is currently charging and cut the price by 5% ? Now how would you feel if you were my competitor ?

What if I determined that you frequently visit a competitors site, and started showing you different watered-down content because of that ?

Well, it definitely is a breach of privacy, but I'd say it's about the same as Google reading your mail to deliver relevant ads. In any case, it's for the corporates to bother about, and I doubt they will implement something like this anytime soon.

Wait a sec., about google-reading-your-mail stuff, I think there is a way this could be done by some programs which it read and outcast without storing your information. I am not sure.