Researchers have discovered that Rabbit AI left critical API keys hardcoded and exposed in its code. These keys, which include those for ElevenLabs, Azure, Yelp, and Google Maps, allow access to all responses ever given by Rabbit's AI assistant, R1. The researchers demonstrated their access to Rabbit's backend by emailing using Rabbit administrator accounts. Despite being aware of the issue for a month, Rabbit has not taken action to rotate the API keys, according to 404 Media.
Rabbit AI left critical API keys hardcoded and exposed in its code, which researchers claim would allow them to see "all Rabbit R1 responses ever given": https://t.co/PK6zbVveLj
the researchers who found the exposed Rabbit R1 API keys say they could see every response ever given to users. This is such a wild possibility for an AI assistant that's constantly responding to questions from users. That's what it's for! https://t.co/1GfFMwjbCc
NEW: Researchers say Rabbit left critical API keys used by R1 hard coded and exposed. They sent me emails using Rabbit admin accounts to prove this: https://t.co/tblK4hC24w
New from 404 Media: researchers prove they have access to Rabbit AI's backend by emailing us using a Rabbit administrator email. API keys were hardcoded into device, including ElevenLabs, Azure, Yelp, Google Maps. Say could see "all Rabbit R1 responses" https://t.co/Y7KqAFCBsK https://t.co/pKs0sdxkLl
“rabbit has known that we have had their api key for a month, but they have taken no action to rotate the api keys. […] these keys allow anyone to: read every response every r1 has ever given, including ones containing personal information” Not good. https://t.co/gHbAtSCKIu
My Rabbit is here!!! What’s a @rabbit_hmi ? It’s a handheld AI device!!! I’m so excited!!!!! https://t.co/JjD6vdQIWb