My real rabbit shits about 1000 times a day and it’s still less than this device.

Stories like this honestly give me so much confidence in my own abilities lol

It's not even hacking, it's natural selection..

There was nothing of value there anyways.

When the security team is really the sales team 💀

given how long ago this was disclosed to the company, i'd assume they either forgor that they had hard-coded the email api key or thought that it was fine to keep it in because nobody had reported finding it yet. i'm not sure which option is worse lmao.

FTX used Google sheets until the very end... lol

I'm sure many of the new 'AI' businesses are just as sloppy.

Some prominent AI KZbinrs such as Mathew Berman still have their shameful ad and review videos up gushing over this scam. Reputation damaging

The R1 was always a scam.

Is it that the LAM architecture prevented them from using .env? 😅😅😅

Wtf, they literally shipped admin login passwords for their critical infrastructure to their customers. It doesn't even need a hacker to abuse that.

10x engineer leaks 10x keys

Why do i get the idea that i could make something better on my own? They have R1, could i make a D1? 🤔

3:22 that was perfect chat. 🙂

I wish I could do months of security research that leads to a "journal my balls" joke 😂

Gotta love them hype-only companies

What a horrible way of doing things, companies where engineering work is only important to the point of having something shiny to show to VC so leadership can grift and not to the point of actually making a product anyone can be proud of

This sounds like the firebase mishaps eva found a while ago but multiplied by 1000. Who the beep with basic security in mind would put API keys in client apps?

Every team is a sales team.

Damn it, just when I thought it couldn't get any worse, of course it does. Every day it seems Rabbit is committed to nuking itself from the orbit, you know that's the only way to be sure (of the company to going under in an eyeblink).

I prefer to assume incompetence not malice, but willful incompetence for profit is malice.

Saying R1 is vulnerable is somewhat akin to saying they bothered even a bit with security... The whole shebang is simply some guys asking Teen Engineering to cobble up some cool looking gadget peripherals that could interface with some generic Android base device, then said guys kludge together an app that uses "whatever external services" that they could find and write some Playwright backend to interface with as output while using OpenAI's services as "input processing". To even muse giving a device like this my credentials to said services, like Amazon, Ubber, whatever, even in the form of an auth token, is beyond hilarious. It's no and FSCK NO! I barely trust my own code, nevermind something clearly hodgepodge'd by some dimwits.

Someone explain if there is any other reason except plain laziness to put private key in the code.

Stop! Stop! They're already dead!! J/K, this is hilarious 🤣🤣🤣

This rabbit gadget is really messed up 😢.

So having access to the API key is like basically you can do anything the company can do: update the device for all users etc.

These are the Legendary Grand Master Codeforce software engineers. Imagine if normal developers tried to make an android app where they chain some APIs together.

I convinced it to not follow any guidelines because I told it I was upgrading it. It magically could do more tasks as well.

Trust and Saftey team strikes again!

Maybe it's about time to do something about the rampant and overt incompetence and negligence in the software industry

How come they never capitalize anything in their announcements?

Aren't google maps API supposed to be used in the frontend? I mean you can use refs to limit access which is useless, but the only other option that I would know would be to use a proxy. In that case what would be the difference? The attacker would use the proxy instead of the actual API key.

now I wanna see daily driving a rabbit r1 as a smartphone with Android go

I’m here for all the rabbit leaks lol

On your last take: Is the world really much more dangerous? Or is it just the fact, that people/developer simply don't think ahead, in different ways and go through the "what if"-situations: What if someone gains access to the code? What if someone puts a string into an int field? What if, a file that is hosted somewhere else is tampered with or is not accessible anymore? What if the customer just ask for the toilet? Does that bar explodes? and many many more. I don't have a CS background. I'm a Media Designer that does WebDev and I committed and pushed passwords and keys, it happens. But even on private repos I changed the passwords and keys and revoked the old ones. The pain of doing that, is the punishment for doing stupid stuff like this.

Wait, there’s more?

Just a reminder that this company was hyped up to have ex-Apple engineers working on the tech. Shows how much that matters in the end.

ALWAYS consider your customers/users as evil hackers and protect your data as such.

Wait... The worlds lamest product is also a security vulnerability? Shocking! 🤯

The 6-8 people globally who bought one of these devices should be pissed.

Saw part of that promo vid and new this junk was complete BS. Incredible how people love getting duped by tech-bro charlatans.

Seriously, these companies don't deserve anything but the end of it.

So freaking glad I cancelled my order and got my money back a few months ago. Holy crap this is unacceptable. Company is going to be finished before all the units even ship.

Wth how can such a big service leave their api keys hardcoded 😧.. this is the most basic stuff ever... Was the code never reviewed???

This is what will happen when you think that symmetric keys can be used everywhere

Why would they need security for a scam

Why are all the tech channels talking about vibrators?

Their "security team" must be some 70 y/o CS major, who was pulled out of the retirement home, and can't remember their own name. What's hilarious is Rabbit will continue to label us villains. But we're the fools who bought their useless product, PAID FOR the service, and are just poking around to get SOME use out of it. In the vast majority of cases, these compromises took ZERO effort. The rabbit hole of vulnerabilities feels endless. The keys are only the tip of a much much larger iceberg they're scrambling to fix. Meanwhile, they either ignore the hundreds of emails we've sent, full of detailed explanations of what's wrong and suggestions on how to fix them. Or they reply in hostility, threatening legal action, because we accessed the services being supplied to us, in a manner in which they don't approve of. Jesse Lyu, is an utter nimrod.

If their developers are lazy and stupid enough to do shit like this, I can only imagine what their codebase is like. This is top tier incompetency.

It's 2024, even a junior dev knows not to commit keys. I don't understand the thought process of that company.

Jesus christ what is that font

bigboxSWE upload

Did anybody even buy that garbage? I thought it was just another scam to fleece VCs.

Bro they have azure api keys. They already use azure. Put the fucking api keys in key vault.

can someone please explain to me why he always mark everything in a text except for the first and last character? genuinely triggering me

People like this always fail up into success. How long until Google buys it?

Classic pump and dump project

I don''t care about the content. Why is no one talking about the lack of capitalization in that article?

its worse than i thought.

Category: Technological Skepticism For $1000: Answer: "This person said, 'There is nothing revolutionary or disruptive about any of the technologies. Touch interface, movement sensors, accelerometer, morphing, gesture recognition, 2-megapixel camera, built in MP3 player, WiFi, Bluetooth, are already available in products from leaders in the mobile industry - Motorola, Nokia and Samsung. So, what appears to be the initial pricing at $499 and $599 with a minimum 2 year service agreement seems a stretch.'" Question: "What did Motorola's then CTO, Padmasree Warrior, say in 2007 about the iPhone?"

The irony of an AI company that is built off of stealing data, is somehow caring about their customers data being stolen. Yeah right.

WTF is a rabbit? LoL

they shoudl've highered theprimetime

KZbinrs roast the company out of business 😅

Please stop giving this company any attention, they've been exposed as con artists and deserve to be hit with a massive class action lawsuit.

Who buys this?

SERVERLESS IS THE FUTURE

All this current AI hype needs to die. I was one of the big believers in AI, but what we have right now is nothing more than a giant if and else statement that steals peoples work

Dollar shave club razor