Rabbit reveals data breach was caused by employee leaking API keys
AI companion company revokes API keys leaked by rogue employee
The company behind rabbit r1, a sort of vague AI assistant device, has thwarted “a self-proclaimed ‘hacktivist’ group that was passed API keys by a rogue employee.
Having a company name starting with a lowercase letter may be deeply embarrassing, but don’t hold that against its security team (except when you should).
In a blog post, rabbit revealed all offending API keys had been revoked, and claims by the group to have access to source code are unfounded.
API issues
Discussing the results of a third-party code review from Obscurity Labs, rabbit explained, “Obscurity Labs’ findings show that, among other findings, no source code for our AI agent was exposed, no sensitive or valuable information was available to an attacker, and authentication tokens that are collected when you log in do not contain the actual username and password being typed.”
In the simplest of terms, alphanumeric API keys allow for the functionality of a piece of software to be called within another by a developer. The issuing of keys by an API provider helps restrict access, as well as monitor the extent of access being given.
While we’re all for employees going rogue and keeping life interesting, we must regretfully award nul points in this instance, because just as API keys can be bred like rabbits, they can also, clearly, be culled like Watership Down.
The trouble is that the company’s marketing department ought to take notes, as I have no idea what a ‘rabbit r1’ even is. It takes a ‘learn more’ link and scrolling three-quarters down the page to reveal that it's a kind of virtual assistant - or ‘pocket companion’, as the company insists on calling it.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Other features, including something called ‘teach mode’ that they do not explain, are ‘undergoing beta testing’, which is the kind of Icarus-tier optimism from deluded tech men (it’s always men, but I did flick through the keynote and it is actually men here) that we love.
The rabbit mascot is cute, but, for $199, I need more than that. This is just what business smartphones are now, and the reviewer for TechRadar couldn’t help pointing out that the rabbit r1 is ‘not good for much’, and that they were ‘constantly reaching for [their] phone’ anyway.
Overall, I think it's good that rabbit has competent security engineers and public relations writers who can explain the ins and outs of that security in a simple, digestible way.
More from TechRadar Pro
Luke Hughes holds the role of Staff Writer at TechRadar Pro, producing news, features and deals content across topics ranging from computing to cloud services, cybersecurity, data privacy and business software.