Rabbit R1 security flaw exposes user data to potential abuse

A major security flaw has been discovered in the Rabbit R1 device's code system, though the company denies any vulnerability exists.

According to Rabbitude, a community of Rabbit R1 developers, this flaw allows third parties to access text prompts sent through the R1, potentially exposing sensitive information.

Rabbitude's update highlighted "several critical hardcoded API keys" found after developers accessed the Rabbit codebase.

The device, created by the startup behind the criticized AI Pin, is an AI-powered tool for internet searches, music enjoyment, list-making, translations, and image generation. These tasks are accomplished by speaking to the device or using its camera to analyze the user's surroundings.

Rabbit denies vulnerability

When users make requests to the R1, their instructions should be securely sent to the ‘rabbithole,’ a cloud-based system that processes AI queries and produces results via connected apps. If the reported vulnerability is accurate, anyone with access to the hardcoded keys could intercept sensitive information within the prompts and responses.

Rabbitude has claimed that Rabbit was aware of this critical issue but failed to take appropriate action to resolve it. In response, the company informed Engadget that “an alleged data breach” was reported, but no evidence indicated a serious flaw in the system.

Rabbit stated:

“As of right now, we are not aware of any customer data being leaked or any compromise to our systems. If we learn of any other relevant information, we will provide an update once we have more details.”

The company did not confirm whether the keys Rabbitude claimed to have accessed in the codebase have been revoked.