CSS History Stealing Applied to Black Hat SEO

CGI security has an interesting write up on how to use Jeremiah Grossmans CSS History Stealing Trick. For those of you who haven’t already read, there is a way to check where your users have been by checking their CSS history. So, in answer to his August ponderism:

I wonder how long until the marketers start using this for additional visitor profiling. Feel free to view-source and find the trick.

Less than 2 months!

You run www.sitea.com and www.siteb.com and www.sitec.com are competitors of yours. Now you know these companies use www.ad1.com and www.ad2.com to serve up ads on. What you don’t know is how effective these ads are, simply put without direct access to the web server logs you can’t tell really. Well this isn’t entirely true!

Lets say VisitorA visits your site www.sitea.com. You can use the CSS history stealing trick to see if they have visited www.siteb.com and/or www.sitec.com. If they’ve visited a competitor you’ll know that this person is semi serious about whatever reason they’re visiting your site for. Using the same CSS trick you could also enumerate a list of links (only enumerated if the link was visited) against each competitor website to see what they viewed on this site. This could include seeing which products/services they are interested in, if they visited the ‘contact us’ page and possibly if they also visited the ‘thank you for submitting your data’ (Letting you know they submitted a form). Now that you know where your visitor has been you can utilize the same trick on websites advertising your competitors to see where they came from. Why bother? Well now you know which ads are in fact paying off for them and can advertise with the same company.

A more elaborate example would be dynamically generating a discount if the current visitor has visited a competitor potentially winning a deal.

So now you can map out all of your competitors and if a visitor has visited one of them and you know the price on that site to be X, you can sell for X-5 (for example). The possiable applications are endless . . . but are they legal? Donno. I doubt there are any laws written about grabbing someones CSS history. Any lawyers care to chime in?

How could SEO blackhats use this? Off the top of my head for manipulative “link trading”. To automate the process, you set up a script that grabs the URLs of all the places you send this email:


I really like your site (sitename.com). In fact, I have put a link to your site from my site (as you can see here). Don’t feel obligated, but I would really appreciate a link back when you get the chance.

Thanks much!


Then the link is only served when thier site’s CSS is in thier history (which will be about 99% of the time).

Or, you could use the same application with trackback spam . . . or Referral Spam. Trackback someone and only serve a link if they have their own CSS in their history. That’s some dirty pool, but you can bet that people are going to be doing it because of how Google dramatically discounts reciprocal links.

Both comments and pings are currently closed.

One Response to “CSS History Stealing Applied to Black Hat SEO”

  1. dunsh.org says:

    Aha! is cool idea for spam seo use!