A group of R1 jailbreakers found a massive security flaw in Rabbit’s code

[Paul Raker]

 

Rabbit and its R1 AI gadget are in hot water again, and this time it’s way more serious than just discovering their launcher could be installed as an Android app. A group of developers and researchers, known as Rabbitude, found hardcoded API keys in Rabbit’s codebase. This means sensitive information could easily fall into the wrong hands.

 

These API keys allowed access to Rabbit’s accounts with third-party services like ElevenLabs for text-to-speech and, as confirmed by 404 Media, their SendGrid account for emails from the rabbit.tech domain. Rabbitude found that with these keys, they could access every response ever given by R1 devices using the ElevenLabs API. That’s a major security issue!

[UselessKit]

It's not just a security flaw. It's a core tenant of security that was ignored, overlooked, or even worse someone didn't even know which is INSANE when almost every single API comes with a quick "Hey don't let people see this shit, use a .env"

Hey guys we built a combination lock that has the combo engraved on the side for easy access. 

[Leon Houw]

My wife told me about this thing and I bought it while I was drunk without really looking into it. I totally forgot about it until it showed up yesterday. It’s almost useless, but as a tech guy I still was curious. There are red flags all over this thing. To sign into Apple Music or Spotify, you need to connect to them using a VNC (aka a server they control). This is such an egregious violation of normal security practices. I can’t believe engineering effort was spent on this instead of, you know, doing it the right way with their APIs.