Rabbit data breach: all r1 responses ever given can be downloaded
A data breach at Rabbit Inc. exposed critical API keys for ElevenLabs, Azure, Yelp, and Google Maps, compromising personal information and enabling malicious actions. Rabbit Inc. has not addressed the issue, urging users to unlink Rabbithole connections.
Read original article
A data breach at Rabbit Inc. has exposed critical API keys, including those for ElevenLabs, Azure, Yelp, and Google Maps. This breach allows access to all responses ever given by R1 devices, potentially compromising personal information and enabling malicious actions like altering responses and crashing devices. Despite being aware of the issue for a month, Rabbit Inc. has not taken action to secure the API keys. The Rabbit team has been criticized for ignoring the breach and maintaining the validity of the keys. Users are advised to unlink their Rabbithole connections as a precaution. The breach highlights Rabbit's poor security practices and the risks it poses to R1 device users. Further details have not been disclosed to protect user privacy.
Related
KrebsOnSecurity Threatened with Defamation Lawsuit over Fake Radaris CEO
KrebsOnSecurity faced a defamation lawsuit threat for exposing Radaris' true owners, the Lubarsky brothers, linked to questionable practices. Despite demands, KrebsOnSecurity stood by its reporting, revealing a complex web of interconnected businesses.
Simple ways to find exposed sensitive information
Various methods to find exposed sensitive information are discussed, including search engine dorking, Github searches, and PublicWWW for hardcoded API keys. Risks of misconfigured AWS S3 buckets are highlighted, stressing data confidentiality.
I found a 1-click exploit in South Korea's biggest mobile chat app
A critical exploit in KakaoTalk allows attackers to run JavaScript in a WebView, potentially compromising user accounts by stealing access tokens. The exploit highlights the need to address security vulnerabilities in messaging apps.
Leaking URLs to the Clown
The author describes leaking URLs during Mac app testing, with a unique URL receiving requests from a random "cloud" service every three hours. This raises privacy concerns and highlights potential risks for users.
Snowflake breach snowballs as more victims, perps, come forward
The Snowflake data breach expands to include Ticketek, Ticketmaster, and Advance Auto Parts. ShinyHunters claim involvement, Snowflake enforces security measures. CDK faces ransomware attack, Juniper and Apple vulnerabilities identified. Jetflicks operators convicted.
11 commentsSo this is the IT literacy of AI startups...
It’s not even accurate sometimes and I definitely did not manually tell it things about me. But it made some incorrect assumptions and now it’s out there whether it’s true or not.
Remind me how many billions was this supposedly worth?
Anybody can string a couple of API calls together and write an "app". That is not programming, and this project is a massive undertaking for somebody of their skill. It should have never gone to market to begin with, regulations should have stopped it on its feet. The fact that they put more effort into their "key note" than the actual product was already a red flag. It's like some marketing guys got together and decided that they were going to "take the world by storm with AI".
> we have internal confirmation that the rabbit team is aware of this leaking of api keys and have chosen to ignore it. the api keys continue to be valid as of writing.
Yeah.
I wish there was a mechanism on HN to link related (but different) stories - beyond people in the comments I mean. I think it would be especially useful over time (eg I could relate these today because they’re both on front page at the same time, but if someone came across this in the future the relationship may have been lost)
Related
KrebsOnSecurity Threatened with Defamation Lawsuit over Fake Radaris CEO
KrebsOnSecurity faced a defamation lawsuit threat for exposing Radaris' true owners, the Lubarsky brothers, linked to questionable practices. Despite demands, KrebsOnSecurity stood by its reporting, revealing a complex web of interconnected businesses.
Simple ways to find exposed sensitive information
Various methods to find exposed sensitive information are discussed, including search engine dorking, Github searches, and PublicWWW for hardcoded API keys. Risks of misconfigured AWS S3 buckets are highlighted, stressing data confidentiality.
I found a 1-click exploit in South Korea's biggest mobile chat app
A critical exploit in KakaoTalk allows attackers to run JavaScript in a WebView, potentially compromising user accounts by stealing access tokens. The exploit highlights the need to address security vulnerabilities in messaging apps.
Leaking URLs to the Clown
The author describes leaking URLs during Mac app testing, with a unique URL receiving requests from a random "cloud" service every three hours. This raises privacy concerns and highlights potential risks for users.
Snowflake breach snowballs as more victims, perps, come forward
The Snowflake data breach expands to include Ticketek, Ticketmaster, and Advance Auto Parts. ShinyHunters claim involvement, Snowflake enforces security measures. CDK faces ransomware attack, Juniper and Apple vulnerabilities identified. Jetflicks operators convicted.