so I hadn't heard about the rabbit R1, probably because it's another one of those devices that's marketed at AI rubes, like the Humane Pin. so my first exposure to it turned out to be an expose posted to GitHub along with source code
For those with a technical background, it's painfully clear that there's no artificial intelligence or large action model in sight. In reality, they're simply relying on several Playwright automation scripts to do the job for you, which is why they only support four apps: Spotify, Midjourney, Doordash, and UberEats.
What's even more alarming is that they ask you to login through their web portal, which is just a virtual machine connected via NoVNC. They also expect you to fill in your private passwords on their VMs. To make matters worse, they store the user sessions on their machines without any additional layers of security. This is both a blatant disregard for user privacy and a hilariously bad engineering practice.
Sadly, this shouldn't come as a shock to anyone who's done minimal due diligence on the team. After all, they were still hawking NFTs just two years ago.
I'll say this, at least this time it isn't a mechanical turk using underpaid workers in the global south. it's just a bunch of scripts written using a website testing framework instead
[edit 04/24/2024] the github repo has been taken down (not surprisingly) but it's still on archive.org with links to the source
when even MKBHD says your product is "borderline nonfunctional" and uses it to talk about the way companies try to sell you on the future capabilities of your product instead of delivering something functional out of the box, you may have a problem
the hits keep coming:
- read every response every r1 has ever given, including ones containing personal information
- brick all r1s
- alter the responses of all r1s
- replace every r1’s voice
[...]
we have internal confirmation that the rabbit team is aware of this leaking of api keys and have chosen to ignore it. the api keys continue to be valid as of writing.
we believe it is important for consumers to be aware of rabbit’s poor security practices, as it can have devastating consequences for r1 users.
we will not be publishing any more details out of respect for the users, not the company.

