1. 7

  2. 2

    If you have access to JavaScript, you can accomplish this without user input or knowledge by using getComputedStyle on the links, and checking the colour. Using a CAPTCHA for this is interesting in the sense that it could work on users without JavaScript.

    Are there any ways to disable the :visited selector in your browser?

      1. 2

        That’s really cool. I wasn’t aware of it. I wonder if other browsers do similar things.

        1. 2

          yes has it is a major privacy concern, all major browser does it

        2. 1

          I sit corrected!

          (Of course, if chrome/IE/safari/opera haven’t applied similar solutions, the majority of web users may still be vulnerable. And then there are the people who don’t bother to update their browsers…)

        3. 1

          I’d like to make a proof of concept that doesn’t require any user interaction. A hands-off version with a larger list of sites would make for a much more alarming (and realistic) demo of the exploit — especially since any ethically-challenged website could use this trick without their visitors’ consent (or knowledge), and some probably do.

          I haven’t heard of a way to disable :visited. It should be possible, but the only ways around it that I know of are turning off/clearing all your history, or disabling CSS — neither of which are realistic solutions.

          O̶b̶v̶i̶o̶u̶s̶l̶y̶ ̶t̶h̶e̶ ̶b̶r̶o̶w̶s̶e̶r̶s̶ ̶h̶a̶v̶e̶n̶’̶t̶ ̶d̶o̶n̶e̶ ̶m̶u̶c̶h̶ ̶a̶b̶o̶u̶t̶ ̶i̶t̶,̶ ̶s̶i̶n̶c̶e̶ ̶i̶t̶ ̶s̶t̶i̶l̶l̶ ̶w̶o̶r̶k̶s̶ ̶t̶h̶r̶e̶e̶ ̶y̶e̶a̶r̶s̶ ̶l̶a̶t̶e̶r̶.̶