A group of R1 jailbreakers found a massive security flaw in Rabbit’s code
Rabbit and its R1 AI gadget are under fire again, and it’s much more serious than the time we found out its launcher really could just be installed as an Android app. A group of developers and researchers called Rabbitude says it discovered API keys hardcoded in the company’s codebase, putting sensitive information at risk of falling into the wrong hands.
These keys essentially provided access to Rabbit’s accounts with third-party services like its text to-speech provider ElevenLabs and as confirmed by 404 Media the company’s SendGrid account, which is how it sends emails from its rabbit.tech domain. According to Rabbitude, its access to these API keys particularly the ElevenLabs API meant it could access every response ever given by R1 devices. That is Bad with a capital b.
Following its much-hyped launch this spring, the Rabbit R1 proved itself to be a disappointment. Battery life was bad, its feature set was bare-bones, and its AI-generated responses often contained errors.