14 DAY TRIAL // Epic Marketplace, a member of the self-regulatory Network Advertising Initiative (NAI), is using a CSS hack to determine what websites its visitors accessed in the past.
The CSS history hack is known since 2006 and relies on feeding the user's browser a list of links and determining which of them are styled as visited.
This form of history stealing is considered a privacy vulnerability by most experts because it can also be used for user tracking or identification.
A year ago, researchers from Stanford Law School's Center for Internet and Society found that several major adult sites were using the CSS history hack to determine if users visited their competition. A total number of 46 sites from the Alexa top 50,000 were caught sniffing browsing history.
Addressing the CSS history hack was not easy, because it abuses legit functionality that is critical to the browsing experience. Major browser vendors have implemented a fix in their recent versions, but half of users still remain vulnerable.
The same CIS researchers who found the history stealing violations last year, have now identified Epic Marketplace's hack during a study about tracking opt-outs.
"While testing the JavaScript instrumentation in our new web measurement platform we stumbled across Epic Marketplace history stealing on Flixster and Charter.net," the researchers write.
Interclick, another NAI member which was previously caught stealing history is currently facing class action litigation.
Epic Marketplace's history stealing script is well designed. It is very fast, being capable of scanning thousands of lines per second, and it can resume from where it left off by saving its progress in a cookie.
"We also examined a series of URL lists that contain 15,511 entries. The URLs and interest segments range greatly. Some URLs are for a landing page; others are for a specific page. Some interest segments are broad; others are fine-grained," the researchers say.
In addition, the advertising company does not stop tracking visitors after the NAI opt-out cookie is set or the Do-Not-Track header is sent along with requests.