The Rabbit r1 Had All Its Users' API Keys Hardcoded Into Its Source Code
In June 2024, security researchers at Rabbitude reverse-engineered the Rabbit r1 — a $199 AI gadget that had raised $10 million and sold 100,000 units. They found that API keys for ElevenLabs, Azure, Yelp, and Google Maps were hardcoded directly into the r1's codebase. Anyone with the keys could access all r1 responses ever given to any user, generate audio using Rabbit's ElevenLabs account, and send emails from Rabbit's email server. Rabbit denied the issue was critical, then quietly rotated the keys. The device, already mocked for doing less than a smartphone, became a symbol of rushed AI hardware.
In June 2024, security researchers at Rabbitude reverse-engineered the Rabbit r1 — a $199 AI gadget that had raised $10 million and sold 100,000 units. They found that API keys for ElevenLabs, Azure, Yelp, and Google Maps were hardcoded directly into the r1's codebase. Anyone with the keys could access all r1 responses ever given to any user, generate audio using Rabbit's ElevenLabs account, and send emails from Rabbit's email server. Rabbit denied the issue was critical, then quietly rotated the keys. The device, already mocked for doing less than a smartphone, became a symbol of rushed AI hardware.
Weirdness Classification
9/10 — Deeply unhinged
Field Reports (0)
Loading reports...
Sign in to file your field report.
Know something weirder?
Submit your own AI incident report to the public record.