So there is this older, known hack where you can walk the DOM and discover if a link on a page has been visited:
https://bugzilla.mozilla.org/show_bug.cgi?id=147777
This has all sorts of uses as a vector for phishing sites and XSS attacks. But what I just realized is that sites can conspire to use the visited attribute for a communication back channel.
If one site wants to communicate a 32bit number, say a user id, with another site covertly it can use the visited attribute. The method is as follows:
The transmitting site will create 32 URLs with names like foo.com/bit_1.html throu foo.com/bit_2.html. Then in some page the sender takes the number they want to transmit and for each bit that is true, they embed a hidden frame with the URL of that bit. After this page has been viewed by the subject of the attack, any other page on the internet which knows the bit URLs can test to see if those URLs have been visited and reconstruct the number that was set.
There are two main shortcomings of this approach that are clear. First, the stored value only persists as long as the visited link info lasts in the browser, which I think is nine days by default in FF as far as I can tell. Secondly, there is no way to unset bits. To deal with this, one could add a sequence to the bit urls:
foo.com/sequence_1.html
foo.com/bit_1_1.html
foo.com/sequence_2.html
foo.com/bit_1_2.html
Now before you want to set a number you walk up the sequence URLs 'till you find one that is not set then you set the bits assorted with that sequence.
This would basically allow one to have cookies that can be read from any page on the internet with the added feature that there is no network IO required to read the data; once someone has had the value set it can even be read even offline.
