
Banner ads on CNN.com contain keyloggers - braxxox
https://twitter.com/brannondorsey/status/1019253914133286912
======
Crontab
Sites bemoan ad blockers but then take no responsibility for the ads that are
shown. That needs to change - it’s not like print advertising.

~~~
microdrum
Google's monopoly status means it fulfills 90+% of the ads. I can guarantee
you that CNN has no control. There is no competition. So, erm, maybe the onus
is on Google?

~~~
oh_sigh
Google ads container keyloggers? I doubt that.

~~~
mcny
> Google ads container keyloggers? I doubt that.

Just to be clear, I think they are talking about advertisements placed via
Google's platform, not ad campaigns by Google.

I think there is only one way to solve this: programmatic ads cannot contain
executable code (no access to local storage or network) and ads must come from
the same origin as the page they are on. For example, YouTube will host an ad
for Subaru on YouTube's servers. The sticking point as people have pointed to
me before on HN is fraud. The customer (in this case Subaru) does not trust
Google to be honest in counting the number of impressions.

Perhaps what we need is legislation banning this behavior across the board.
When no ad vendor is able to allow customers to do what they please on user's
web browsers, the customer has no recourse other than to accept that this is
not possible. I don't know how such a legislation would work though. Perhaps
it needs to be an industry alliance instead of legislation?

~~~
oh_sigh
Again, I still doubt that Google places ads with key loggers via their
platform. Maybe I misunderstand something about how they operate though, and I
can't recreate anything close to what the original article shows. In fact, I
can't even load cnn.com right now.

------
thaumaturgy
Lots of speculation here, not much analysis, even from lazy gits like me.

Chrome web inspector kindly gives the "Initiator" for every request. In this
case it's cnn-header-second.min.js. Load that, and Chrome again kindly detects
minified JS and offers to pretty-print it.

The context here appears to be some kind of ad console tool, added by CNN, not
by an ad. The relevant function is at
[https://pastebin.com/EwgPAM6T](https://pastebin.com/EwgPAM6T)

It's a bit obfuscated/minified, and they don't seem to have a non-minified
version available, so it's not clear exactly what functionality this is
enabling.

Either way, not really a keylogger if it's not capturing all keystrokes and
shipping them off somewhere.

~~~
corny
Functionality is to enable an "AdFuel Creative Review" form when typing "d o
h" anywhere on the page. Try it. Then click the blue icon in the lower right.

~~~
reilly3000
The tool is for reviewing bad ads and ad stack QA.

------
climber604
This is a prime example of how people so easily accept a headline shared on
some news authority to be truth. Even the bright minds at hacker news are
duped - just look at all the discussion happening here with the assumption the
headline is correct.

The guy who tweeted this jumped to a conclusion, naively shared his discovery,
then let it perpetuate leaving numerous victims of an erroneously altered
world-view.

~~~
NotQuantum
I seriously think people shouldn't be able to comment / see comments on HN
unless they've at least clicked on the darn link. I took one look at the
"keylogger" source code and recognized it.

------
lifeformed
The point stands, but that's not really a keylogger. It's a library to manage
keyboard inputs. Of course, it could also send all key info somewhere
externally too.

~~~
wanderfowl
But in what universe would an individual ad need that? This seems like
precisely the sort of thing that a third party ad would be prevented from
doing.

~~~
ErikHuisman
Keypress.js doesn't really help creating a keylogger. It does make creating
interactive ads easier though.

~~~
isostatic
The 90s called and wants "punch the monkey" back

------
snissn
I'm skeptical that this is a) from a banner ad and not from operation of the
site b) a full blown keylogger and not a library included that is used for
something like a photo gallery (that may have ads in it)

~~~
jpalomaki
Also, the file is served from turner.com domain, which is the company who owns
CNN.

------
cirenehc
Scripts from the ad should be iframed no? Doesn't make sense that an ad could
run arbitrary JS within the same browsing context as the host.

~~~
tialaramex
It doesn't make any sense, but it's very popular.

To be fair, when they're desperate real world newspapers are like this too.

A flush successful newspaper will make a deal of its editorial independence
and insist you write "Advertising Feature" in big letters at the top of your
full page ad, use a completely different typeface and give your company's
name, but when money is tight the guy selling those adverts is under pressure
to compromise. What if it says "Sponsored content" rather than "Advertising
Feature"? And rather than big letters at the top, how about small disclosure
text at the bottom? The typeface could be a very good clone of your normal
editorial typeface, and still count as "different" right? And lets have a
byline which says "Our staff", that's vague, and the poor reader might think
it means it was written by journalists, but it doesn't strictly _say_ that, it
just says "Staff" which could be anybody...

This is how internationally famous British newspapers end up running content
literally written in Beijing or Moscow to let everybody know how free and
wonderful those countries are, using weasel words like "in co-operation with".
And if the _actual_ news is a bit awkward? Well, you wouldn't want that
lucrative sponsored content deal to lapse would you? Maybe a brief mention on
page 14 is enough, even if those newspapers which still have a backbone ran it
on their front page.

~~~
cirenehc
Are you sure this approach is popular? AFAIK none of the top ad platforms
allow you to inject scripts. Do you know any?

------
mmcwilliams
It appears to be getting the keypress.js library from ssl.cdn.turner.com. Not
clear if the data is being exfiltrated, though, just by looking at that tweet.

~~~
trash_panda
Exactly it is incorrect to jump to the conlusion that they are using a
keylogger. I mean, they're loading a JS library that allows to handle keypress
events; but if you talk about a keylogger everyone assumes that they're
stealing your keystrokes.

What needs to be done is to navigate the site and typing a given char sequence
on every page while logging the HTTP traffic, then do a search for that
sequence to see if it appears in any request. That's the basic thing you could
do to actually verify if there is a keylogger.

------
ryanlol
>ssl.cdn.turner.com

Obviously bullshit. That's CNNs CDN, not a "banner ad". This guy did not put
in the least bit of effort to verify his claims.

The script is included in [https://edition.cnn.com/.a/2.103.4/js/cnn-header-
second.min....](https://edition.cnn.com/.a/2.103.4/js/cnn-header-
second.min.js)

~~~
neetdavid
It appears to be used to set up multi-key hotkeys for debugging. Pressing 'd o
h' on the page requests some adfuel console resources.

------
nvr219
This is getting upvoted without getting the context.

------
notadoc
Here's what is actually being run

[http://dmauro.github.io/Keypress/](http://dmauro.github.io/Keypress/)

~~~
cbcoutinho
Why aren't the code snippets in a monospace font? Is there readability ux that
thinks this is a good idea?

~~~
eat_veggies
they look monospace to me

[https://i.imgur.com/K5L7xit.png](https://i.imgur.com/K5L7xit.png)

------
sbinthree
How likely is this to be due to accessibility (ie. keyboard-only users) vs.
keylogging?

~~~
ruskerdax
Doesn't seem likely that an advertisement would need to embed that kind of
functionality.

~~~
Someone1234
What kind of functionality? This is just a generic library for more easily
managing keyboard input, JavaScript itself supports the same but in a more
clunky way.

------
LinuxBender
I would suggest their "lite" [1] version. It is compatible with addons like
NoScript, uMatrix, uBlock, Canvas Fingerprint Defender, CSS Exfil Protection,
Privacy Settings and Self Destructing Cookies. I am using FF 52 ESR. Some of
these addons may not work in 58+.

They could improve their HTTP header settings a bit. [2]

[1] - [https://lite.cnn.io/](https://lite.cnn.io/)

[2] -
[https://securityheaders.com/?q=https%3A%2F%2Fcnn.com%2F&foll...](https://securityheaders.com/?q=https%3A%2F%2Fcnn.com%2F&followRedirects=on)

------
dahart
Iframed banner ads _can’t_ log keystrokes outside their frame, browsers don’t
allow that. And no site in their right mind would include ads that aren’t
iframed.

A keylogger would be possible if there was some kind of zero day exploit, but
this isn’t that, it sound like the tweeter didn’t do their due diligence. I’m
curious how someone gets as far as looking through the minified JavaScript
without knowing the browser doesn’t allow that, obviously(?), otherwise all
your passwords and information would have been compromised long ago.

------
thrownaway954
as someone who claims they are a programmer and researcher... you would think
they would have done some more research on this and also have common sense to
know that this isn't a keylogger.

------
Mister_Snuggles
Things like this make me happy that uMatrix exists.

~~~
chaosfox
indeed ! keypress.js is blocked on the easyprivacy list as well.

------
reilly3000
What could an advertiser good to track with key logging? Password to their...
CNN account??

~~~
mipmap04
A password to an individual's CNN account could easily be their same login to
their bank or other more important account.

------
stickfigure
CNN, like the vast majority of news sites, is best viewed with javascript
disabled. Pages load 10X faster, scrolling is not jumpy, the CPU doesn't go
crazy, and text reads just as well. It is hands down a much improved user
experience.

------
DannyB2
It's not CNN. It's ads.

Advertising has ruined every medium it has ever touched. It will ruin the web.
It is only a matter of time. It did not destroy ancient network television
overnight. It did not destroy cable tv overnight.

The last time I saw cable tv a few years back, it had become so bad that after
a long run of ads, they would then put bugs and walk on people right over the
content of the show you were watching. Sometimes obscuring important content
within that show.

~~~
imglorp
Which is why NF is so successful and cable is bleeding from the arteries.
Consumers want to choose their device, on their schedule, without tampering
with the content, and they want good and timely selection of content. They
will pay well for this.

------
mabufo
cross domain script blocking should be enforceable in all browsers

------
snopes_ads
press shift-control-z on cnn.com and you will get what this supposed keylogger
is (hint - its not a keylogger or comgin from an ad) but merely a cnn internal
tool..

------
wanderfowl
Dearest Ad Industry,

This is why we run ad blockers. Since you won't regulate your industry, we're
fixing the problem for you.

Love,

The Rest of the World.

~~~
Yizahi
PS: and please burn in hell, asap.

Sincerely,

Concerned users of the Internet.

~~~
reilly3000
takers of the internet?

------
roscoebeezie
I’ve noticed CNN has had a crap ton of redirect ads recently...

~~~
reilly3000
They come in waves and go away when ad exchanges figure out how to block them.
It isn't usually tied to a single publisher, as they are bought and sold
across ad exchanges that reach most of the ad funded web. They are extremely
difficult for even manual reviewers to spot and reproduce, so the whole
industry works to stop them together. Then new ones pop up.

