« Application Security: Countering The Professionals | Main | Firefox Zero-Day Code Execution Hoax? »

More fun with CSS history

There's been a big fuss that with CSS you can identify if someone has visited a certain link. I started to think about expanding this and came up with a neat little trick you can do involving online advertising.

You run www.sitea.com and www.siteb.com and www.sitec.com are competitors of yours. Now you know these companies use www.ad1.com and www.ad2.com to serve up ads on. What you don't know is how effective these ads are, simply put without direct access to the web server logs you can't tell really. Well this isn't entirely true!

Lets say VisitorA visits your site www.sitea.com. You can use the CSS history stealing trick to see if they have visited www.siteb.com and/or www.sitec.com. If they've visited a competitor you'll know that this person is semi serious about whatever reason they're visiting your site for. Using the same CSS trick you could also enumerate a list of links (only enumerated if the link was visited) against each competitor website to see what they viewed on this site. This could include seeing which products/services they are interested in, if they visited the 'contact us' page and possibly if they also visited the 'thank you for submitting your data' (Letting you know they submitted a form). Now that you know where your visitor has been you can utilize the same trick on websites advertising your competitors to see where they came from. Why bother? Well now you know which ads are in fact paying off for them and can advertise with the same company.

A more elaborate example would be dynamically generating a discount if the current visitor has visited a competitor potentially winning a deal. I suspect this use of the CSS 'trick' is going to spread like wildfire for many of the obvious reasons above. This begs to ask the question is this legal?

UPDATED: 10/4/06

I was thinking of the uses of this regarding phishing. Say they followed my amazon phishing email, I can now track which banks they use and other websites to see which site I should phish next (a sort of victim profiling if you will). Even more interesting would be the creation of generic phishing emails bringing a user to a site, and dynamically generating a phishing site based off of the urls that they've actually visited. Hmmm need to think about this some more.


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!