Rabbit R1s Leaks Are REALLY BAD

My real rabbit shits about 1000 times a day and it’s still less than this device.

venomqc

It's not even hacking, it's natural selection..

theohallenius

Stories like this honestly give me so much confidence in my own abilities lol

maxnibler

There was nothing of value there anyways.

Fan_of_Ado

When the security team is really the sales team 💀

anendlessknot

given how long ago this was disclosed to the company, i'd assume they either forgor that they had hard-coded the email api key or thought that it was fine to keep it in because nobody had reported finding it yet. i'm not sure which option is worse lmao.

uzbekistanplaystaionBIOScrek

Wtf, they literally shipped admin login passwords for their critical infrastructure to their customers. It doesn't even need a hacker to abuse that.

henningerhenningstone

FTX used Google sheets until the very end... lol

devourerst

Saying R1 is vulnerable is somewhat akin to saying they bothered even a bit with security... The whole shebang is simply some guys asking Teen Engineering to cobble up some cool looking gadget peripherals that could interface with some generic Android base device, then said guys kludge together an app that uses "whatever external services" that they could find and write some Playwright backend to interface with as output while using OpenAI's services as "input processing".
To even muse giving a device like this my credentials to said services, like Amazon, Ubber, whatever, even in the form of an auth token, is beyond hilarious. It's no and FSCK NO! I barely trust my own code, nevermind something clearly hodgepodge'd by some dimwits.

ErazerPT

I'm sure many of the new 'AI' businesses are just as sloppy.

rapper-charmer

Some prominent AI YouTubers such as Mathew Berman still have their shameful ad and review videos up gushing over this scam. Reputation damaging

thomassynths

Is it that the LAM architecture prevented them from using .env? 😅😅😅

thedelanyo

Why do i get the idea that i could make something better on my own?

They have R1, could i make a D1? 🤔

blinking_dodo

This sounds like the firebase mishaps eva found a while ago but multiplied by 1000. Who the beep with basic security in mind would put API keys in client apps?

muB

Rabbit doesnt use spreadsheets as a database. They have a feature where you can ask it to look at a spreadsheet and make edits to it and they'll send you the modified spreadsheet to your email.

CodexAdrian

Their "security team" must be some 70 y/o CS major, who was pulled out of the retirement home, and can't remember their own name. What's hilarious is Rabbit will continue to label us villains. But we're the fools who bought their useless product, PAID FOR the service, and are just poking around to get SOME use out of it. In the vast majority of cases, these compromises took ZERO effort. The rabbit hole of vulnerabilities feels endless. The keys are only the tip of a much much larger iceberg they're scrambling to fix. Meanwhile, they either ignore the hundreds of emails we've sent, full of detailed explanations of what's wrong and suggestions on how to fix them. Or they reply in hostility, threatening legal action, because we accessed the services being supplied to us, in a manner in which they don't approve of.

Jesse Lyu, is an utter nimrod.

infinitivez

Damn it, just when I thought it couldn't get any worse, of course it does. Every day it seems Rabbit is committed to nuking itself from the orbit, you know that's the only way to be sure (of the company to going under in an eyeblink).

mattilindstrom

How come they never capitalize anything in their announcements?

bnorrish

I prefer to assume incompetence not malice, but willful incompetence for profit is malice.

donk

Aren't google maps API supposed to be used in the frontend? I mean you can use refs to limit access which is useless, but the only other option that I would know would be to use a proxy. In that case what would be the difference? The attacker would use the proxy instead of the actual API key.

ykhatat