Researchers say Rabbit left secure data vulnerable to bad actors. | Photo: David Pierce / The Verge
Rabbit and its R1 AI gadget are under fire again, and it’s much more serious than the time we found out its launcher really could just be installed as an Android app. A group of developers and researchers called Rabbitude says it discovered API keys hardcoded in the company’s codebase, putting sensitive information at risk of falling into the wrong hands.
These keys essentially provided access to Rabbit’s accounts with third-party services like its text-to-speech provider ElevenLabs and — as confirmed by 404 Media — the company’s SendGrid account, which is how it sends emails from its rabbit.tech domain. According to Rabbitude, its access to these API keys — particularly the ElevenLabs API — meant it could access every response ever…