tl;dr: Recently TinSnail has provided a nice demonstration, using :visited pseudo-selector to trick the user into revealing his browser history. While interesting his small "game" was not something that could be commonly used against most users. I have tried to develop the idea tricking the user during its usage of captchas.

A few random tries

I did not read what was display on the project's GitHub README.MD , nor :visited documentation and tried to go quick and dirty:

Trying to read from the browser API what was the color displayed

Selecting the link matching the :visited pseudo selector through some dirty $(':visited');

But after a few tries I understood that :visited is a kind of edge case, a dirty one, and now my first opinion, is that, no matter how restricted the allowed uses of :visited , letting developers customize the user view according to the user's history is opening gates to malicious practices. An old practice from the first days of the web that is not making sense on a security standpoint.

Let's make a captcha

Then I started thinking that it was easy to make something that looks like a captcha (and could be a real one) but tricks the user to input values according to his browsing history. I spent a few tries building a captcha, playing with image opacity according to the visited status of the page.

Bad idea again... After reading carefully the manual, I came out with something which was really working. The trick lies mostly in a few line of CSS code that will make a letter visible or not depending on the browser history without playing with transparency (which is not authorized):

#captcha a { color: white; } #captcha a:visited { color: black; }

The users sees a character only if he has visited a website in a context in which he is used to input what he sees on the screen.

Making it real

On GitHub, you will find a demonstration and the related source code.

Credits

Credits must of course be given to TinSnail for his nice proof of concept.