*Important Notice* Please consult with laws in your area before acting on anything in this post. Even though many sites are doing some of the methods I describe it does not mean its legal. Consult your legal council.
What if I told you that just by visiting my website I am able to know everything about you. What sites you have been to, your name, your wife’s name, your phone number, your household income, and much more.
Here is how it works
Within your web browser (internet explorer, chrome, firefox, etc.) one of the things it checks is for links that the site is linking to. This is a “feature” for the user so they are able to tell if they had been to the site before. By default, links that you have not visited are underlined blue and links that you have visited are a violet color.
Websites can override these defaults using cascading style sheets (CSS) to make links a certain color or even replace the text all together to load images for the links or more importantly visited links. Now I can also set each visited link to a particular image.
So, lets say you come to my site and have visited apple.com. I could load apple.com as the image for that link if you had visited the site. But that is not very practical.
What would be practical (and profitable) is to set links for the top 10000 retail sites in the world in a 1 pixel frame that the user would never see. While the user would not see it… the website owner would and then could load advertisements based on what sites you have previously visited.
This actually exposes a MUCH bigger problem though. If you can load a image based on where a person has been then whats stopping me from dropping an eBay affiliate cookie if you have been to eBay? An apple cookie if you been to apple.com? An Amazon cookie, if I know you shop at Amazon?
Dropping these cookies via an image would pay me every time you continue to shop at these sites you already shop at. Plus it would be a nightmare for affiliate programs because unlike most cookie stuffing. Your click through to conversion would be in line (maybe even more inline) then blind cookieing the entire world and easily getting busted.
Now before you run off and do this people are not only getting kicked out from affiliate programs for stuffing cookies, but some are actually being charged with “wire fraud” by the FBI.
It doesn’t really matter anyway though because about year ago web browsers started blocking the ability to load images from visited active links.
So can you still see where all your users have been? Yes- but it takes a little more technical ability.
Through Javascript you can check to see if your visitors have visited. All you have to do is set your visited links to an arbitrary color and then simply query the browser to see which links match the color you had chosen.
Lets say we don’t even use css and leave the visited link as the default color.
Then I would run this code on the page:
function stealHistory() {
// loop through websites and check which ones have been visited
for (var i = 0; i < websites.length; i++) {
var link = document.createElement("a");
link.id = "id" + i;
link.href = websites[i];
link.innerHTML = websites[i];
document.body.appendChild(link);
var color = document.defaultView.getComputedStyle(link,null).getPropertyValue("color");
document.body.removeChild(link);
// check for visited
if (color == "rgb(0, 0, 255)") {
document.write('' + websites[i] + '');
} // end visited check
}
}
This would loop through a predefined set of specified websites and then check to see what color your web browser is displaying them as. If you have visited them then I know.
Now you might think that it takes a while to check all these sites to see if you have visited before? It really is a client side thing so it varies but, in my tests I was able to load 10,000 sites in less than 5 seconds.
The scary thing is you could mix some ajax in with this and load a image that would still stuff cookies or maybe even an iframe.
Now the above is obviously just proof of a concept code. You would want to log the data to some sort of database.
What if I told you I was doing this to people on my sites… not stuffing but just tracking them. Tracking their ip with all the sites they visit. You would say I am pretty shady right?
Big sites are doing it right now
A report done 7 months ago by the University of California, San Diego scanned more than 50,000 of the top Alexa ranked sites and here are some of the big names that were using javascript to detect what sites you have been to:
youtube.com
wired.com
technorati.com
youporn.com
charter.net
newsmax.com
namepros.com
morningstar.com
twincities.com
yahoo.co.jp
sina.com.cn
microsoft.com
mail.ru
about.com
thesun.co.uk
perezhilton.com
Maybe you recognize some of them? A lot of them have since removed the code. Read the full report for more details. It also has the exact code the sites were using (a lot better than my example above).
But what is the data probably used for?
What the report found was that out of the over 400 sites that were getting your history 90% of them were sniffing for eBay. Why? Was eBay buying data on who visits there site and where they go?
The most practical application for this is for the website owner to sell the data (that would include your ip address and all the major retail outlets you visit) to advertising companies like Double Click. They could then target them throughout their entire network.
Enough about history what else can we find out?
Lets take it a bit further. If you were to comment or use any service on a site they could take that email and run it against Facebook’s tools. Being that 70% of people on the internet have a Facebook account and Facebook has your account “open” by default I can lookup all the information on your Facebook account that is publicly accessible. By default this includes your phone number, your interests, all your friends, your location, where you work and tons of other stuff.
I could then add this to my arsenal of data that I have on you to sell you products (or sell the data to a company who does so).
Lets take that another step further. There are services out there that aggregate data from many sources and can lookup people’s information from a phone number or email.
So now I can take your email (which came from my site) or for more accuracy your phone number (which I just got from Facebook) and I can use that data with the tools provided by data services like amplemedia. Within seconds it will return your home address, how many kids you have, your household income, and possibly your credit history and other data.
So just by visiting my site and making a comment I now know your name, your email, your phone number, all your friends (and possibly all their phone numbers), your household income, and on a basic level all of the websites you have visited.
Do you think this would help me find the right kind of shit to sell you?
About the author...
Jeremy Schoemaker – who has written 2424 posts on ShoeMoney.com.
Hi I am Jeremy Schoemaker and ShoeMoney.com is my blog. 99% of the post here are done by me but you will see others occasionally make guest posts. This blog is fun to write but for my day job I run several online companies.
Images provided by ShutterStock
What Internet Marketers Can learn From Harry Potter 
Knowing When to STFU 
The Perfect Business 
{ 35 comments… read them below or add one }
Wow shoe that is crazy…. Neat to see your security and internet marketing background collide =P
Its super scary what you hackers can do.
Typo Jeremy
When your web browser (internet explorer, chrome, firefox, etc) one of the things it checks is for links
Other than that, awesome post as usual.
Thanks got it
I sure don’t want to be charged with “wife fraud”
I’m torn on what I think about it. On one hand, all this is is data aggregation, something I do every day. On the other, yes, you have access to a *lot* more information on people than they think.
lol
Thats funny I didnt know this practice would get you in trouble with your wife. “Wife Frand”? Who knew.
“Now before you run off and do this people are not only getting kicked out from affiliate programs for stuffing cookies but some are actually being charged with “wife fraud” by the FBI.”
Wife Fraud?
its fixed already… premature posting…
Sorry dude! I didn’t catch all the other comments about it prior to posting.
I really do not know how I feel about this… on one hand it is super smart but, on the other like you said it is shaddy. However, who isn’t shaddy these days?
This is super crazy and scary! I have probably made some scam artist money now. Good to know!
Thank goodness I do not have a facebook, i guess that is one good thing that comes from someone hacking it
Well this is concerning and awesome at the same time
I knew this was going on, I just didn’t know how they were doing it. Thanks Shoemoney!
I’ll be giving this a try…
Wow, scary stuff!
Wow, it’s incredible to think that you can grab all that with a visit to a site. What isn’t incredible is that there are major sites doing it. Spam used to be the big no-no. I worked for a company in 2002 that sent out 3 billion (permission-based) spam per month. Spam is NOTHING in comparison to this. This is why I left the USA… when my cell phone company (ATT) wanted me to verify my brother and sister’s names before they turned my cell phone account back on! Nuts… the companies of the world have gone nuts and there is no government – or anybody to protect them.
I am more scared of what Facebook is doing right now with user info than all this. While this will take a certain degree of knowledge and work, users give facebook all their information when signing up!
So basically one needs to be smart and do it when you know you wont get caught?
Updated browsers seems to not send info to the DOM about what color the link is etc. So it seems you can feel safe if you keep an updated browser.
I’ve tested FF 6 and chrome 13.0.782.215 for mac.
Or is it just med who can’t get this to work?
Did you try my code or the code in the article? The code in the article for sure still works. Mine was working on my Chrome browser at the time of testing.
cracking up on the wife fraud, for a second thought it was wire fraud… lol
Scary, we all understand nothing on the internet is private and versions of following visitors around is nothing new. Automatic way to get this post on facebook! I don’t want my friends and family to be out in the dark!
Hi, I am really happy I’ve found this information. Nowadays bloggers publish just about gossip and internet stuff and this is actually irritating. A good site with exciting content, that’s what I need. Thanks for making this website, and I will be visiting again.
someone linked to your article.
i’ve read it just from curiosity and it’s really scary. good stuff anyway.
Very interesting and useful article,thanks for sharing.:)
Damn, that is some crazy stuff… don’t think this would work in the Netherlands.. shitty cookie rules
Good article! Thank you!
Incredibly beneficial thank you, I do believe your trusty subscribers will likely want even more blog posts similar to this maintain the excellent effort.
Interesting article you’ve posted. I dont thin i would ever use this method but its good to know about it. Scary to know what people can do these days.
I guess this data maybe used in many forms. It is what I am researching.
We have been writing articles on computer security in our post. this is great stuff that I plan to recap and link back to this article in the near future. People are not aware of how vunerable they are on the internet – Big Brother is watching!
We have been writing articles on computer security in our post. this is great stuff that I plan to recap and link back to this article in the near future. People are not aware of how vunerable they are on the internet – Big Brother is watching!
Wow. Scary stuff. Nothing is private anymore, is it? Hope more is done over the next few years to help with this. But unfortunately, someone will just find a way to circumvent it.