I wonder what other creative uses there are for this. For example, if someone visits digg you know they are likely to be a techie. If they visit seattle.craigslist.com you know they are likely to be in Seattle. If they visit drudgereport they may be a news buff. You could create a collection and if there user uses your site a lot you could try hundreds of things and pass them back to the server....interesting...
You could use that as a barebones way to send data to google analytics or getclicky, or plug it in to a user profile (generated by yourself). Of course Aza's solution is waayyy more elegant.
And I'm sure firefox/opera/webkit will be closing up this vulnerability in the near future.
Last summer I had an inkling of an idea that used basically the same strategy. My idea (never implemented) was to set the background images on visited anchors to a dynamic image url that could be used to track pageviews from other sites, to perhaps determine what links from your site your visitors found most interesting, even if they didn't click to them from your site.
There are plenty of terrible use cases for something like this, but also plenty of benign and probably useful cases as well. If you were a search engine, for example, you could determine if a user has been to sites that show up in the search results, even if they don't click on the links from your site.
How do will they close this vulnerability? Make it impossible to check the color of text with javascript? I don't think that's going to happen. Besides you could easily check a different attribute.
Maybe browsers should restrict the :visited attribute to one domain. Or maybe just base it on a daily history instead of your all-inclusive one.
This is not the scariest hack that can be done with HTML/JS. There is another one that checks if you are logged in to some web site, your bank for instance. Once a malicious page finds a site you are in, a hidden iframe can click on links and even submit forms on your behalf.
