A group of R1 jailbreakers found a massive security flaw in Rabbit’s code

Rabbit and its R1 AI gadget are nether occurrence again, and it’s overmuch much superior than the clip we recovered retired its launcher truly could conscionable beryllium installed arsenic an Android app. A radical of developers and researchers called Rabbitude says it discovered API keys hardcoded successful the company’s codebase, putting delicate accusation astatine hazard of falling into the incorrect hands.

These keys fundamentally provided entree to Rabbit’s accounts with third-party services similar its text-to-speech supplier ElevenLabs and — as confirmed by 404 Media — the company’s SendGrid account, which is however it sends emails from its rabbit.tech domain. According to Rabbitude, its entree to these API keys — peculiarly the ElevenLabs API — meant it could entree each effect ever fixed by R1 devices. That is Bad with a superior b.

Rabbitude published an nonfiction yesterday saying that it gained entree to the keys implicit a period agone but that contempt knowing astir the breach, Rabbit did thing to unafraid the information. Since then, the radical says its entree to astir of the keys has been revoked, suggesting that the institution rotated them, but arsenic of earlier today, it still had entree to the SendGrid key.

Rabbit hasn’t responded to my petition for remark connected the information breach, though it offered a wide connection yesterday connected its Discord server: “Today we were made alert of an alleged information breach. Our information squad instantly began investigating it. As of close now, we are not alert of immoderate lawsuit information being leaked oregon immoderate compromise to our systems. If we larn of immoderate different applicable information, we volition supply an update erstwhile we person much details.”

Following its much-hyped motorboat this spring, the Rabbit R1 proved itself to beryllium a disappointment. Battery beingness was bad, its diagnostic acceptable was bare-bones, and its AI-generated responses often contained errors. The institution issued a bundle update connected abbreviated bid fixing bugs similar the artillery drain and has continued to merchandise updates since then, but the R1’s halfway occupation of overpromising and massively underdelivering remains unchanged. And a superior information breach similar this makes it overmuch harder to triumph backmost nationalist trust.