Subscribe
Members of a community focused on jailbreaking and reverse engineering the Rabbit R1 AI assistant device say that Rabbit left critical API keys hardcoded and exposed in its code, which would have allowed them to see and download “all r1 responses ever given.” The API access would have allowed a hacker to use various services, including text-to-speech services and email sending services, as if they were the company. To verify their access, the researchers sent 404 Media emails from internal admin email addresses used by the Rabbit device and the Rabbit team.
The disclosure, which was made on the group’s website and in its Discord Tuesday, is the latest in a comedy of errors for the device, which, under the hood is essentially just an Android app that runs requests through a series of off-the-shelf APIs like ElevenLabs, which is a text-to-speech AI product. The device’s poor design has been the subject of many articles, investigations, and YouTube videos.
The exposed API keys were discovered by a group called Rabbitude, a community of hackers and developers who have been reverse engineering the Rabbit to explain how it works, find security problems, jailbreak the devices, and add additional features. “We reverse, hack, and experiment with the r1 and report our findings publicly,” Rabbitude explains on its website. “Rabbitude is built by the community along with some core members. overall making the r1 experience better.”