The R1 jailbreaker group found a huge security flaw in Rabbit’s code

Share

These keys essentially provided access to Rabbit accounts on third-party services such as text-to-speech provider ElevenLabs and – as confirmed 404 Media — SendGrid company account, where he sends e-mails from the rabbit.tech domain. According to Rabbitude, access to these API keys – specifically the ElevenLabs API – meant he could access every response ever made by R1 devices. This is bad with a capital B.

Rabbit published an article yesterday claiming he gained access to the keys over a month ago, but despite knowing about the hack, Rabbit did nothing to secure the information. Since then, the group says it has had access to most of the keys revoked, suggesting the company has been changing them, but so far he still had access to the SendGrid key.

Rabbit did not respond to my request for comment on the security breach, although it did provide a general statement on its Discord server yesterday: “Today we were made aware of an alleged data breach. Our security team immediately began investigating this matter. At this time, we are not aware of any customer data leakage or any security breach of our systems. If we learn of any other relevant information, we will update you when we have more details.

After an extremely popular launch this spring, the Rabbit R1 turned out to be a disappointment. Battery life was impoverished, the feature set was straightforward, and AI-generated responses often contained errors. The company released a software update to fix bugs like battery drain and has continued to release updates since then, but the R1’s core problem of over-promising and significantly under-delivering remains unchanged. Such a stern security breach makes it much more hard to regain public trust.

Latest Posts

More News