For those that were confused by the title (like me), here's the TL;DR:
Online advertiser, Epic Marketplace, is using a very sophisticated javascript script to do "history stealing", where they iterate through thousands of URLs to determine if a user has visited them. With this data, they can serve highly targeted ads.
It's highly shady at best, and illegal at worst.
Not really. The Javascript loads an array of links to check against, builds a 1x1 pixel iframe, puts all the links in there (with styles applied to hide visited links), then it checks to see which links disappeared.
Browsers are securing against this by limiting styles that can be applied to the :visited pseudoclass to just color, then it serves back the default color if a script ever tries to check.
How come it's illegal for aaronsw to steal thousands of documents from a document repository, but it's not illegal for advertiser to steal thousands of history entries from my browser? If anything, this sounds significantly more illegal: code that I don't want to run is injected into my browser, and then it steals personal information that I make an effort to keep secret. If this isn't unauthorized access to a protected computer system, what is?
Interesting to see how they've used it. I remember seeing a proof of concept a while back checking the most popular sites against your browser history and pointing this flaw out. Now it will be interesting to see the repercussions of actually abusing this.
Where do you draw the line? 0x0 doesn't work. Let's use 1x1 and blend it in somewhere. 10x10? Probably can find a square somewhere to hide it. Or a long rectangle at the bottom perhaps with a solid color. I don't see blocking 0x0 as a real solution to the problem.
Online advertiser, Epic Marketplace, is using a very sophisticated javascript script to do "history stealing", where they iterate through thousands of URLs to determine if a user has visited them. With this data, they can serve highly targeted ads. It's highly shady at best, and illegal at worst.