Developers had access to API keys and the entire database of responses from Rabbit R1 devices. This allowed them to view and change all answers, disable the backend and change votes.
Developers, united under the Rabbitude banner, They claim to have access Including API keys for ElevenLabs Text-to-Speech, Yelp, and Google Maps. This allowed them to view all R1s’ responses, including personal information. It was also possible to change the text and crash the entire backend.
Rabbitwood said it informed Rabbit about the leak a month ago. The company ignored the developers and then changed the API keys. As a result, all R1 devices were temporarily offline on Wednesday. Bunny reports. The API key for the SendGrid mail service is still working, Rabbitude reports.
The leak was possible because API keys are hardcoded into the software of all R1 devices, but the researchers did not disclose details about how they were accessed. The fact that Rabbit changed the API keys suggests that hackers could still find them in the software.
Rabbit announced the R1 in January and launched it this spring. The device is intended for use as an AI assistant and works primarily with voice commands. It can also perform actions on behalf of users on third-party services.