They might be scamming their users and possible inventors, etc. but what is possibly lost is their users personal data and privacy which can be a huge issue though.
given how long ago this was disclosed to the company, i'd assume they either forgor that they had hard-coded the email api key or thought that it was fine to keep it in because nobody had reported finding it yet. i'm not sure which option is worse lmao.
SBF was a billionaire genius who played LoL in meetings though, him and his meth addicted sex cabal probably had their reasons and we're just too unenlightened to understand.
@@chrism4841I love how he wasn't even any good at LoL 😂 Best part is, their crypto arbitrage business actually ran pretty well. If they didn't get insanely greedy, he'd still be filthy rich. I love these stories about 'businesses geniuses' being too stupid to actually make money. Same with Trump, if he'd never touched real estate or all those failed endeavors and instead just held his wealth in passive index funds, he be about twice as rich as he was after the TRMP IPO (~14 billion).
It’s a genius Trojan horse to put spyware on your device all in the name of using ‘AI.’ Nearly all AI is just glorified algorithms mining mediocre LLMs
Independent of his R1 video, I wouldn’t recommend his channel. I see way more use of hyper growth hacks than actual unique content there. Also, calling it prominent is generous in my opinion.
@@lilyoshi1310 He has 280k subs, but whatever. I put him in the same populaty range as WesRoth, MattVidProAI, and DavidShapiro. MattWolf sands above them in viewership by a large amount.
@@thomassynths 280k is niche. He just seems bigger to people interested in AI, because youtube needs to amply some AI content to you, and he is one of the very few options. There’s so few options, because anyone who is actually good at AI is working ungodly hours to try to win the race. Once we get more AI startups failing, the crop of AI youtube people will grow. Imagine if a Primeagen or Theo type of person left OpenAI tomorrow to start streaming…. They’d have 280k subscribers in no time.
Saying R1 is vulnerable is somewhat akin to saying they bothered even a bit with security... The whole shebang is simply some guys asking Teen Engineering to cobble up some cool looking gadget peripherals that could interface with some generic Android base device, then said guys kludge together an app that uses "whatever external services" that they could find and write some Playwright backend to interface with as output while using OpenAI's services as "input processing". To even muse giving a device like this my credentials to said services, like Amazon, Ubber, whatever, even in the form of an auth token, is beyond hilarious. It's no and FSCK NO! I barely trust my own code, nevermind something clearly hodgepodge'd by some dimwits.
Damn it, just when I thought it couldn't get any worse, of course it does. Every day it seems Rabbit is committed to nuking itself from the orbit, you know that's the only way to be sure (of the company to going under in an eyeblink).
This sounds like the firebase mishaps eva found a while ago but multiplied by 1000. Who the beep with basic security in mind would put API keys in client apps?
Rabbit doesnt use spreadsheets as a database. They have a feature where you can ask it to look at a spreadsheet and make edits to it and they'll send you the modified spreadsheet to your email.
What a horrible way of doing things, companies where engineering work is only important to the point of having something shiny to show to VC so leadership can grift and not to the point of actually making a product anyone can be proud of
@@paegr Teenage Engineering makes overpriced stuff but it is actually pretty nice to use from what i've heard, certainly "products someone can be proud of", nothing on the level of this blatant scam
To play devils advocate... Most companies have this business model. Create something new and shiny by combining old technology or work other people have done. Sell it to everyone and their grandma as the next miracle tech business. Fix errors or bugs after money has been secured from investors.
No, these are keys for different services that the r1 uses to do it's job. (TTS, Email, Maps, etc) Not a sort of admin panel of rabbit itself. That would be even worse. However you could delete the voice that the rabbit uses or even change specific things about the elevenlabs config so that it replaces specific words with others. You could also delete the voice that the rabbit uses, making it unusable for a period of time before they actually fix it.
@@ProgrammeerMeneer Maybe I don't understand the concept. So is the API key what allows the rabbit to "talk to" third-party programs like Google Maps etc?
Aren't google maps API supposed to be used in the frontend? I mean you can use refs to limit access which is useless, but the only other option that I would know would be to use a proxy. In that case what would be the difference? The attacker would use the proxy instead of the actual API key.
With a proxy you have the ability to counter act malicious usage. Think about it like a condom for your API key At the very least if you leave the key in the client application, it should be obfuscated (hidden) somehow, which was not done in this case either
@@v.h.203you should not leave the API key in the frontend period. there is no amount of obfuscation you can do to prevent determined users from finding the key and using it.
Their "security team" must be some 70 y/o CS major, who was pulled out of the retirement home, and can't remember their own name. What's hilarious is Rabbit will continue to label us villains. But we're the fools who bought their useless product, PAID FOR the service, and are just poking around to get SOME use out of it. In the vast majority of cases, these compromises took ZERO effort. The rabbit hole of vulnerabilities feels endless. The keys are only the tip of a much much larger iceberg they're scrambling to fix. Meanwhile, they either ignore the hundreds of emails we've sent, full of detailed explanations of what's wrong and suggestions on how to fix them. Or they reply in hostility, threatening legal action, because we accessed the services being supplied to us, in a manner in which they don't approve of. Jesse Lyu, is an utter nimrod.
These are the Legendary Grand Master Codeforce software engineers. Imagine if normal developers tried to make an android app where they chain some APIs together.
I bought this device. But only for flashing another firmware and doint other things with it. However, after having a look inside, I guess I could have all of this for 1/3 of that price^^
On your last take: Is the world really much more dangerous? Or is it just the fact, that people/developer simply don't think ahead, in different ways and go through the "what if"-situations: What if someone gains access to the code? What if someone puts a string into an int field? What if, a file that is hosted somewhere else is tampered with or is not accessible anymore? What if the customer just ask for the toilet? Does that bar explodes? and many many more. I don't have a CS background. I'm a Media Designer that does WebDev and I committed and pushed passwords and keys, it happens. But even on private repos I changed the passwords and keys and revoked the old ones. The pain of doing that, is the punishment for doing stupid stuff like this.
So freaking glad I cancelled my order and got my money back a few months ago. Holy crap this is unacceptable. Company is going to be finished before all the units even ship.
Category: Technological Skepticism For $1000: Answer: "This person said, 'There is nothing revolutionary or disruptive about any of the technologies. Touch interface, movement sensors, accelerometer, morphing, gesture recognition, 2-megapixel camera, built in MP3 player, WiFi, Bluetooth, are already available in products from leaders in the mobile industry - Motorola, Nokia and Samsung. So, what appears to be the initial pricing at $499 and $599 with a minimum 2 year service agreement seems a stretch.'" Question: "What did Motorola's then CTO, Padmasree Warrior, say in 2007 about the iPhone?"
Their product sucks. They should've released it as an app instead. But they wanted to leech every penny out of their customers instead. It's like that $400 juicer with wifi connectivity
@@Afro__JoeRabbit doesn't, but Google is also a hotpot of bad ideas and people with a lot of money who think they're much smarter than they actuslly are. So I wouldn't be surprised if google buys it
All this current AI hype needs to die. I was one of the big believers in AI, but what we have right now is nothing more than a giant if and else statement that steals peoples work
My real rabbit shits about 1000 times a day and it’s still less than this device.
i love this comment lmao
Rabbit poops are also inert, dry pellets, way less gross what what this company is doing
I got bunnies as well and yeah confirmed they shit about 1000 times a day.
I wish I could shit 1000 times a day.
There was nothing of value there anyways.
They might be scamming their users and possible inventors, etc. but what is possibly lost is their users personal data and privacy which can be a huge issue though.
having access to the servers was fun, its free computing !
Victims. There are victims of fraud, both consumers and investors. Yes, the product sucks, and they have done real harm, keep that in focus
It's not even hacking, it's natural selection..
Gilfoyle!!
Stories like this honestly give me so much confidence in my own abilities lol
It's like a reverse impostor syndrome.
And yet such confidence is what can lead you to mistakes ;)
@@kaibe5241 kinda missing the point there bud.
Right i may not use mock test fixtures like i should but i know not to hard code secret keys 😂
Wtf, they literally shipped admin login passwords for their critical infrastructure to their customers. It doesn't even need a hacker to abuse that.
When the security team is really the sales team 💀
The whole company is just the sales team, probably.
@@armornick that's the nature of "The AI Revolution"
@@illuminoeye_gamingAccurate
given how long ago this was disclosed to the company, i'd assume they either forgor that they had hard-coded the email api key or thought that it was fine to keep it in because nobody had reported finding it yet. i'm not sure which option is worse lmao.
Quality control moment
complete scam
FTX used Google sheets until the very end... lol
SBF was a billionaire genius who played LoL in meetings though, him and his meth addicted sex cabal probably had their reasons and we're just too unenlightened to understand.
@@chrism4841 preach
@@chrism4841 He was not a genius, he was a sociopath. Please don't mix these two things, they are very VERY different!
@@NGC1433I think you need to get your sarcasm detector checked.
@@chrism4841I love how he wasn't even any good at LoL 😂
Best part is, their crypto arbitrage business actually ran pretty well. If they didn't get insanely greedy, he'd still be filthy rich.
I love these stories about 'businesses geniuses' being too stupid to actually make money. Same with Trump, if he'd never touched real estate or all those failed endeavors and instead just held his wealth in passive index funds, he be about twice as rich as he was after the TRMP IPO (~14 billion).
I'm sure many of the new 'AI' businesses are just as sloppy.
there is a difference between AI and a product that uses AI and makes a bunch of API calls...
It’s a genius Trojan horse to put spyware on your device all in the name of using ‘AI.’ Nearly all AI is just glorified algorithms mining mediocre LLMs
Some prominent AI TH-camrs such as Mathew Berman still have their shameful ad and review videos up gushing over this scam. Reputation damaging
Anyone gushing over this has no credibility imo. Easy way to filter out a bit more bs.
Independent of his R1 video, I wouldn’t recommend his channel. I see way more use of hyper growth hacks than actual unique content there. Also, calling it prominent is generous in my opinion.
@@lilyoshi1310 He has 280k subs, but whatever. I put him in the same populaty range as WesRoth, MattVidProAI, and DavidShapiro. MattWolf sands above them in viewership by a large amount.
AI TH-camr? You already know it's a scam
@@thomassynths 280k is niche. He just seems bigger to people interested in AI, because youtube needs to amply some AI content to you, and he is one of the very few options. There’s so few options, because anyone who is actually good at AI is working ungodly hours to try to win the race. Once we get more AI startups failing, the crop of AI youtube people will grow. Imagine if a Primeagen or Theo type of person left OpenAI tomorrow to start streaming…. They’d have 280k subscribers in no time.
Saying R1 is vulnerable is somewhat akin to saying they bothered even a bit with security... The whole shebang is simply some guys asking Teen Engineering to cobble up some cool looking gadget peripherals that could interface with some generic Android base device, then said guys kludge together an app that uses "whatever external services" that they could find and write some Playwright backend to interface with as output while using OpenAI's services as "input processing".
To even muse giving a device like this my credentials to said services, like Amazon, Ubber, whatever, even in the form of an auth token, is beyond hilarious. It's no and FSCK NO! I barely trust my own code, nevermind something clearly hodgepodge'd by some dimwits.
The R1 was always a scam.
Is it that the LAM architecture prevented them from using .env? 😅😅😅
Why do i get the idea that i could make something better on my own?
They have R1, could i make a D1? 🤔
After which someone will come out with: R2D2
I wish I could do months of security research that leads to a "journal my balls" joke 😂
10x engineer leaks 10x keys
Fortunately, I'm a 1/10x engineer.
3:22 that was perfect chat. 🙂
Damn it, just when I thought it couldn't get any worse, of course it does. Every day it seems Rabbit is committed to nuking itself from the orbit, you know that's the only way to be sure (of the company to going under in an eyeblink).
This sounds like the firebase mishaps eva found a while ago but multiplied by 1000. Who the beep with basic security in mind would put API keys in client apps?
anyone who doesn't give a fsck because they work for a scam company
Rabbit doesnt use spreadsheets as a database. They have a feature where you can ask it to look at a spreadsheet and make edits to it and they'll send you the modified spreadsheet to your email.
Every team is a sales team.
Gotta love them hype-only companies
What a horrible way of doing things, companies where engineering work is only important to the point of having something shiny to show to VC so leadership can grift and not to the point of actually making a product anyone can be proud of
That's always been Teenage Engineering's mojo. Only difference this time is they're scamming NFT owners instead of trust fund music hipsters
@@paegr Teenage Engineering makes overpriced stuff but it is actually pretty nice to use from what i've heard, certainly "products someone can be proud of", nothing on the level of this blatant scam
To play devils advocate... Most companies have this business model.
Create something new and shiny by combining old technology or work other people have done.
Sell it to everyone and their grandma as the next miracle tech business.
Fix errors or bugs after money has been secured from investors.
So having access to the API key is like basically you can do anything the company can do: update the device for all users etc.
No, these are keys for different services that the r1 uses to do it's job. (TTS, Email, Maps, etc) Not a sort of admin panel of rabbit itself. That would be even worse.
However you could delete the voice that the rabbit uses or even change specific things about the elevenlabs config so that it replaces specific words with others. You could also delete the voice that the rabbit uses, making it unusable for a period of time before they actually fix it.
@@ProgrammeerMeneer Maybe I don't understand the concept. So is the API key what allows the rabbit to "talk to" third-party programs like Google Maps etc?
@@williamdrum9899 somewhat yes
Aren't google maps API supposed to be used in the frontend? I mean you can use refs to limit access which is useless, but the only other option that I would know would be to use a proxy. In that case what would be the difference? The attacker would use the proxy instead of the actual API key.
With a proxy you have the ability to counter act malicious usage. Think about it like a condom for your API key
At the very least if you leave the key in the client application, it should be obfuscated (hidden) somehow, which was not done in this case either
@@v.h.203you should not leave the API key in the frontend period. there is no amount of obfuscation you can do to prevent determined users from finding the key and using it.
one exception is service account tokens like what firebase does, but even so its a disaster cuz it makes it so easy to wrongly configure permissions
I prefer to assume incompetence not malice, but willful incompetence for profit is malice.
Their "security team" must be some 70 y/o CS major, who was pulled out of the retirement home, and can't remember their own name. What's hilarious is Rabbit will continue to label us villains. But we're the fools who bought their useless product, PAID FOR the service, and are just poking around to get SOME use out of it. In the vast majority of cases, these compromises took ZERO effort. The rabbit hole of vulnerabilities feels endless. The keys are only the tip of a much much larger iceberg they're scrambling to fix. Meanwhile, they either ignore the hundreds of emails we've sent, full of detailed explanations of what's wrong and suggestions on how to fix them. Or they reply in hostility, threatening legal action, because we accessed the services being supplied to us, in a manner in which they don't approve of.
Jesse Lyu, is an utter nimrod.
These are the Legendary Grand Master Codeforce software engineers. Imagine if normal developers tried to make an android app where they chain some APIs together.
I bought this device. But only for flashing another firmware and doint other things with it. However, after having a look inside, I guess I could have all of this for 1/3 of that price^^
Same here the form factor seemed interesting but frankly the security is laughable
On your last take: Is the world really much more dangerous? Or is it just the fact, that people/developer simply don't think ahead, in different ways and go through the "what if"-situations:
What if someone gains access to the code?
What if someone puts a string into an int field?
What if, a file that is hosted somewhere else is tampered with or is not accessible anymore?
What if the customer just ask for the toilet? Does that bar explodes?
and many many more.
I don't have a CS background. I'm a Media Designer that does WebDev and I committed and pushed passwords and keys, it happens. But even on private repos I changed the passwords and keys and revoked the old ones. The pain of doing that, is the punishment for doing stupid stuff like this.
I convinced it to not follow any guidelines because I told it I was upgrading it. It magically could do more tasks as well.
The 6-8 people globally who bought one of these devices should be pissed.
Try over 100,000.
So freaking glad I cancelled my order and got my money back a few months ago. Holy crap this is unacceptable. Company is going to be finished before all the units even ship.
How come they never capitalize anything in their announcements?
they think it makes them look cool
Trust and Saftey team strikes again!
This rabbit gadget is really messed up 😢.
TH-camrs roast the company out of business 😅
Stop! Stop! They're already dead!!
J/K, this is hilarious 🤣🤣🤣
Just a reminder that this company was hyped up to have ex-Apple engineers working on the tech. Shows how much that matters in the end.
Someone explain if there is any other reason except plain laziness to put private key in the code.
incompetence
Maybe it's about time to do something about the rampant and overt incompetence and negligence in the software industry
Start teaching assembly again?
@@williamdrum9899 is it so much to ask that computer programmers actually understand programming computers?
ALWAYS consider your customers/users as evil hackers and protect your data as such.
Wait... The worlds lamest product is also a security vulnerability? Shocking! 🤯
Saw part of that promo vid and new this junk was complete BS. Incredible how people love getting duped by tech-bro charlatans.
Seriously, these companies don't deserve anything but the end of it.
now I wanna see daily driving a rabbit r1 as a smartphone with Android go
Oh shit I totally forgot about this thing, is this company still not bankrupt lol.
Wait, there’s more?
Gilettes razor 😂 chat is pure gold
Why are all the tech channels talking about vibrators?
If their developers are lazy and stupid enough to do shit like this, I can only imagine what their codebase is like. This is top tier incompetency.
Category: Technological Skepticism
For $1000:
Answer: "This person said, 'There is nothing revolutionary or disruptive about any of the technologies. Touch interface, movement sensors, accelerometer, morphing, gesture recognition, 2-megapixel camera, built in MP3 player, WiFi, Bluetooth, are already available in products from leaders in the mobile industry - Motorola, Nokia and Samsung. So, what appears to be the initial pricing at $499 and $599 with a minimum 2 year service agreement seems a stretch.'"
Question: "What did Motorola's then CTO, Padmasree Warrior, say in 2007 about the iPhone?"
This is what will happen when you think that symmetric keys can be used everywhere
It's 2024, even a junior dev knows not to commit keys. I don't understand the thought process of that company.
I’m here for all the rabbit leaks lol
Wth how can such a big service leave their api keys hardcoded 😧.. this is the most basic stuff ever... Was the code never reviewed???
garbage in, garbage out
Why would they need security for a scam
Did anybody even buy that garbage? I thought it was just another scam to fleece VCs.
The irony of an AI company that is built off of stealing data, is somehow caring about their customers data being stolen. Yeah right.
Jesus christ what is that font
can someone please explain to me why he always mark everything in a text except for the first and last character? genuinely triggering me
Classic pump and dump project
I don''t care about the content. Why is no one talking about the lack of capitalization in that article?
Please stop giving this company any attention, they've been exposed as con artists and deserve to be hit with a massive class action lawsuit.
Bro they have azure api keys. They already use azure. Put the fucking api keys in key vault.
its worse than i thought.
TH-camrs roast the company out of business 😅
No, they have skill issues that took them out of business.
Their product sucks. They should've released it as an app instead. But they wanted to leech every penny out of their customers instead. It's like that $400 juicer with wifi connectivity
bigboxSWE upload
People like this always fail up into success. How long until Google buys it?
Considering Gemini is better than it already, I doubt Rabbit has anything worth purchasing here.
@@Afro__JoeRabbit doesn't, but Google is also a hotpot of bad ideas and people with a lot of money who think they're much smarter than they actuslly are. So I wouldn't be surprised if google buys it
@@Afro__Joe Rabbit isn't an AI
ahahahhahahahhhhha! hard coded the API codes???????????
WTF is a rabbit? LoL
Oh no… Anyways..
All this current AI hype needs to die. I was one of the big believers in AI, but what we have right now is nothing more than a giant if and else statement that steals peoples work
wow people still crying about the r1? get over it.
they shoudl've highered theprimetime
Who buys this?
SERVERLESS IS THE FUTURE
Dollar shave club razor