Rabbit and its R1 AI gadget have found themselves in trouble again, this time far more serious than when we discovered its launcher could actually be installed as an Android app.

image.png

A group of developers and researchers known as Rabbitude discovered hardcoded API keys in the company's codebase, exposing sensitive information to the risk of falling into the wrong hands. These keys essentially granted access to Rabbit's accounts, including the text-to-speech provider ElevenLabs, and the company's SendGrid account. According to Rabbitude, their access to these API keys meant they could access every response given by the R1 device, posing a significant security risk.

Rabbitude published an article yesterday stating that they had gained access to these keys over a month ago, but despite knowing about the breach, Rabbit had taken no steps to protect the information. Although the group later stated that their access to most of the keys had been revoked, the SendGrid key was still accessible until earlier today. Rabbit responded by pointing to a page on their website, indicating they would "update as information becomes available."

The statement on the company's website claims that Rabbit is investigating the incident but has not yet found any "compromise to the security of our critical systems or customer data."

Rabbit R1, which gained significant attention after its launch in the spring, has been disappointing in practice. Poor battery life, rudimentary features, and frequent errors in AI-generated responses are among its issues. Despite software updates that addressed battery drain, the core problem of overpromising and underdelivering remains unchanged. This severe security vulnerability makes regaining public trust even more challenging.

Key Points:

- A group called Rabbitude discovered hardcoded API keys in the company's codebase, posing a risk to sensitive information.

- Despite Rabbit's efforts to restrict access, the security vulnerability persists, making it harder to rebuild public trust.

- Rabbit R1 has multiple issues in practice, and software updates have not addressed its core problem of overpromising and underdelivering.