Security week-in-review: Mobile phone thief thwarted by “Theftie”

Screen Shot 2016-04-29 at 2.24.06 PM

It’s hard to keep up with the hundreds of security-specific headlines published every week.

So, we’re rounding up the top news that affect you, your business, and the security and technology industry overall. This week we explore a thefties, Firefox vulns, and a warning: don’t upload your Slack credentials to Github! Check back every Friday to learn about the latest in security news.

Phone thief’s “selfie” leads to his arrest

A Lookout Theft Alert “theftie” helped police arrest a man in Florida after he allegedly stole two smartphones. Theft Alerts will trigger the camera to take a front-facing picture based on a certain set of actions Lookout anticipated thieves take after they steal a device. “It’s so nice when technology works with us,” Sheriff Grady Judd explained after the arrest had been made.

Watch the segment here and learn more about Theft Alerts here.

Mozilla patches 14 holes in Firefox, plugging 2 potential Android attacks

Mozilla released a patch for 14 vulnerabilities this week, a number of them sealing up critical holes in the company’s FireFox browser. One of these holes, found by researchers at Newcastle University, could have allowed an attacker on Android to “deduce touch actions,” or monitor what was being typed into the browser, according to Securityweek. Another hole, found by Ken Okuyama, would have allowed an attacker to use a malicious application to read locally stored passwords and browser history.

Get more information about the patches here.

Trend: Developers storing Slack tokens on Github

Researchers at Detectify found that thousands of Slack tokens are searchable on Github. This is because a number of developers are, perhaps unknowingly, uploading their code for Slack API projects, including these tokens to Github. Slack’s API allows people to create robots that can complete tasks on their behalf and developers are sharing their creations. The researchers write, “The problem is that many developers tend to include Slack tokens – credentials tied to their personal Slack account – directly in the code when building Slack bots. … the developer is actually giving anyone – that finds the token – access to the developer’s company’s internal chats and files on Slack.”

Read more about the problem here.