Rabbit Reveals Data Breach Was Caused By Employee Leaking API Keys
The company behind rabbit r1some sort of vague AI assistance device, has stopped a self-proclaimed “hacktivist” group from obtaining API keys from a rogue employee.
It can be very embarrassing if a company name starts with a lowercase letter, but don’t count on the security team for that (unless you should).
In a blog post, Rabbit revealed that all offending API keys had been revoked and that the group’s claims that they had access to the source code are unfounded.
API issues
Discussion of the results of a Obscurity Labs third-party code reviewrabbit explained, “Obscurity Labs’ findings show, among other things, that no source code for our AI agent was exposed, that no sensitive or valuable information was available to an attacker, and that authentication tokens collected when you log in do not contain the actual username and password being typed.”
In the simplest terms, alphanumeric API keys allow functionality in one piece of software to be called by a developer in another piece. Issuing keys by an API provider helps restrict access and control the extent of access.
While We are all for employees doing their own thing and keeping life interestingIn this case, we unfortunately have to award zero points, because just as API keys can be bred like rabbits, they can also clearly be culled like rabbits. Watership Down.
The problem is that the company’s marketing department should be taking notes, because I have no idea what a “rabbit r1” even is. It takes a “learn more” link and three-quarters of a page scroll to reveal that it’s some kind of virtual assistant – or “pocket companion,” as the company insists on calling it.
Other features, including something called “teach mode” that they don’t explain, are “undergoing beta testing.” That’s the kind of Icarus-esque optimism of misguided techies (they’re always men, but I skimmed the keynote and they are actually men) that we love.
The rabbit mascot is cute, but for $199 I need more than that. This is what business smartphones are, and the reviewer for TechRadar couldn’t resist saying that the Rabbit R1 is “not much good,” and that they’re “constantly looking at [their] ‘telephone’ anyway.
Overall, I like that Rabbit has competent security engineers and PR writers who can explain all the ins and outs of security in a simple, understandable way.
