Researchers have found a way to use the web's basic functions to identify who visits a site—without the user detecting the hack.