rabbit  failed  to  properly  reset  all  keys:  emails  can  be  sent  from  rabbit.tech  domains 
evil-rabbitude

in our last article we announced that rabbit had hardcoded keys in their codebase for ElevenLabs, Azure, Yelp, and Google Maps, which the rabbitude team had obtained.

in their discord server, rabbit issued the following response to our publication:

Today we were made aware of an alleged data breach. Our security team immediately began investigating it. As of right now, we are not aware of any customer data being leaked or any compromise to our systems.

If we learn of any other relevant information, we will provide an update once we have more details

despite claiming no compromise had occurred, rabbit immediately revoked these four keys. one was done improperly, leading to a temporary outage in text-to-speech services.

but we omitted another key from that release, one buried deeper in the code. and surprise-surprise: despite their ongoing internal investigation, rabbit didn’t revoke it.

sendgrid

as of writing, a fifth hardcoded api key exists for sendgrid, which is still active.

it provides access to a complete history of emails sent on the r1.rabbit.tech subdomain. this subdomain is primarily used for the r1’s spreadsheet-editing functions, meaning that it also includes user information contained within those spreadsheets.

it also allows us to send emails from rabbit.tech email addresses. a proof-of-concept was first sent a month ago, but it went unnoticed by the rabbit team. between that point and today, we did not view or send any further emails.

today we provided further proof of this retained access by sending sample emails from rabbit domains to journalists, including Jason Koebler of 404 Media, who published a great longform piece on this topic.

this article was edited shortly after publishing to correct and clarify a statement on the extent of available email data.