Rabbit Says Former Employee Handed Hacking Collective the Keys to the R1’s Backend

Rabbit, the institution down the perfunctory and perchance problematic Rabbit R1, present claims that a since-fired worker gave a hacker and developer corporate entree to each its assorted API keys, allowing them to work users’ AI prompts and nonstop messages from the company’s ain email server. The makers of the AI doohickey are inactive calling retired “external critics” portion extolling the effectiveness of the R1’s security. Still, it doesn’t look similar their efforts volition enactment an extremity to the ongoing cybersecurity SNAFU.

Back successful June, a squad of achromatic chapeau hackers and developers calling themselves Rabbitude released a damning report claiming they gained entree to galore of Rabbit’s interior codebase and could fool astir with a fig of hardcoded API keys. This included a cardinal to the company’s transportation with text-to-voice work ElevenLabs, which could assistance them a look astatine each users’ past text-to-speech messages. Rabbit archetypal denied an contented but has since changed its API keys.

In an email to Gizmodo, a Rabbit spokesperson wrote, “In June, an worker (who has since been terminated) leaked API keys to a self-proclaimed ‘hacktivist’ group, which wrote an nonfiction claiming they had entree to Rabbit’s interior root codification and immoderate API keys. Rabbit instantly revoked and rotated those API keys and moved further secrets into AWS Secrets Manager.”

The institution has continued to assertion the hacking effort took spot successful June. Rabbitude inactive maintains it had entree to the codebase and API keys going backmost into May. The hacker corporate claims that Rabbit knew of the API contented but chose to disregard it until Rabbitude published its findings the pursuing month. 

Over Signal chat, 1 of the Rabbitude hackers, who goes by Eva, rebutted Rabbit’s alleged timing of events, saying, “We had entree for implicit 2 months.” They declined to remark connected Rabbit’s claims astir a erstwhile employee, citing “legal reasons,” but they inactive derided Rabbit for its prime to hardcode the API keys.

“Even if it was an insider, they shouldn’t person hardcoded the keys successful their code, arsenic it means immoderate worker could person entree to users’ accumulation messages, adjacent if they weren’t breached,” Eva said.

Rabbit initially denied determination was an contented with the codebase and API keys. To beryllium they had access, a subordinate of Rabbitude sent an email from the AI instrumentality company’s interior email server to Gizmodo alongside respective outlets. Rabbit aboriginal changed each API keys to artifact access. The institution yet said successful a press release that “the lone maltreatment of those keys was to nonstop defamatory emails to rabbit employees” and “a tiny fig of journalists who promote the enactment of hacktivists.” 

Rabbit Claims its Systems Were Always Reliable

The occupation was ne'er that the hackers were holding onto delicate Rabbit R1 idiosyncratic information but that anybody connected Rabbit’s squad had entree to this info successful the archetypal place. Rabbitude pointed retired that the institution ne'er should person hardcoded its API keys, which allows excessively galore radical interior access. Rabbit inactive seems to beryllium glossing implicit that issue, each portion belittling the radical of developers with its changeless notation to “self-proclaimed hacktivists” oregon the reporters who pointed retired the occupation successful the archetypal place.

The issues conscionable kept piling connected adjacent aft Rabbitude published its findings. Last month, the instrumentality shaper shared adjacent much troubling information issues with the Rabbit R1. The institution said users’ responses were being saved onto their instrumentality itself, and they weren’t being removed adjacent aft they logged retired of their rabbithole account. This meant users’ responses could beryllium accessed via a “jailbreak” aft selling disconnected their devices. Rabbit is limiting the magnitude of information that gets stored on-device. For the archetypal clip since Rabbit released the instrumentality successful precocious April, users tin yet take to mill reset their instrumentality done settings.

Rabbit hired cybersecurity steadfast Obscurity Labs to behaviour a penetration trial into Rabbit’s backend and the R1 instrumentality itself. The steadfast conducted the tests from April 29 done May 10, earlier the information controversies archetypal came to life. Obscurity Labs released its report this week, describing however they could usage immoderate beauteous basal attacks to entree the Playwright scripts astatine the bosom of the R1’s systems but couldn’t entree the root codification oregon credentials that fto users entree their Uber oregon DoorDash accounts.

In an email to Gizmodo, Rabbit again claimed that the company’s root codification had not been exposed. A spokesperson for the institution said the study shows their information “is moving arsenic intended to minimize the imaginable interaction of an onslaught sufficiently.” The institution further claimed that erstwhile hackers entree Rabbit’s systems, “they are incapable to entree thing of substance, including delicate oregon different invaluable information.”

Critics aren’t feeling precise mollified. The study pointedly does not pentest however Rabbit stores users’ league tokens. After immoderate critics complained, Obscurity Labs updated the study to accidental that that strategy was “out of scope” since Rabbit uses a third-party institution to support that information private. As acold arsenic Rabbitude is concerned, members accidental that the study doesn’t genuinely code their concerns.

“I wouldn’t adjacent telephone it a pentest,” Eva said.