Type
Research
Actors
Pub. date
June 25, 2024
Initial access
Exposed secret
Impact
Resp. disclosure
Observed techniques
Credential harvesting from code repository
References
https://rabbitu.de/articles/security-disclosure-1https://rabbitu.de/articles/security-disclosure-2https://www.404media.co/researchers-prove-rabbit-ai-breach-by-sending-email-to-us-as-admin/
Status
Stub
Last edited
Jun 30, 2024 10:08 AM
Rabbit AI's codebase included several hardcoded API keys for ElevenLabs, Azure, Yelp, Google Maps, and SendGrid. According to the researchers who discovered this, this access would have allowed an attacker to read Rabbit customers' data, make customer devices inoperable, and tamper with AI model responses. Additionally, the researchers showed how they could abuse the SendGrid API key to send emails on Rabbit AI's behalf.