another day another controversy for the rabbit R1 apparently this time its developers wrote some bad code like inexcusably catastrophically bad code a code that allows someone to view every message ever sent on all devices code that allows the attacker to alter the messages sent to the end user and code that can brick every R1 in existence it's outrageous egregious and Preposterous lascivious salacious outrageous but the most shocking part about this story is what the company did to fix it in today's video we'll find out how this is even possible so you don't make the same mistake when shipping your own half-baked AI product it is June 27th 2024 and you're watching the code report I first encountered the rabbit R1 at CES in January where I was blown away by its utter uselessness along with the amount of cringe buzzwords used by its CEO despite setting off my detectors these devices sold out pre-orders within the first few minutes but after the initial hype the rabbit R1 has been the Lal of tech products of 2024 it was exposed as being nothing more than an Android app under the hood it was revealed to have origins in crypto and nft scams and when it actually shipped it was even more useless Than People imagined but never in my wildest imagination would I expect their developers to make a mistake like this hard coding API Keys directly into the code base this mistake was discovered by a group called rabbito which is dedicated to reverse engineering the R1 according to their statement back on May 16th they obtained access to the Rabbit Code base and inside that code base they found hard-coded API keys for 11 Labs Azure Yelp and Google Maps the most problematic one is 11 Labs which is an AI text to speech platform when you talk to the rabbit R1 it turns your speech into text it then passes that text off to a large language model to generate a response but before that response goes back to the end user that text needs to be converted back into speech and that's what 11 Labs does development of the atomic bomb that means the R1 needs to make an API call to 11 labs for every response ever sent by the R1 and that means if someone ever got the 11 Labs API key they'd be able to read every R1 response in history they'd be able to change responses and they could just delete the AI voices from 11 labs to Brick every single R1 in existence in a matter of seconds and that is quite the exploit and just to be clear it's not 11 lab's fault but there's one thing we need some clarification on in the statement it says rabbit tude gained access to the Rabbit Code base which I assume is referring to the backend Rabbit Code base the details are sparse but I don't think they actually put an API key in their Android APK which would be an even more absurd mistake because you should never put secret API keys in client side code even my 5-year-old knows that it seems more likely that rabbit has a leaker like an employee dumping the code onto a USB and potentially breaking the law to share it leaking is a risky business Julian Assange once leaked war crimes for which he was treated like a criminal even Hillary said can't we just drone that guy and he just regained his freedom a few days ago now the thing is when those war crimes leaked the war criminals didn't stop doing war crimes and what's crazy is that rabbit took a similar approach according to Rabbit tude they've known about this exposed 11 Labs API key for a month and their solution was to just ignore it and hope the problem goes away this information I assume is also coming from the leaker now at this point rabbit has rotated its API keys and this group is operating for the public good thus nothing catastrophic has happened to user data but there's a lot of good reasons not to hardcode API Keys into your code in fact I have a new Full Linux course coming up for fireship pro members that coincidentally talks about this issue might as well leave you a discount code if you want to get Early Access an API key is like a password and should be treated with the same amount of respect if a hacker gets a hold of one they could retrieve and delete all your data and cost you a bunch of money in the process when an API key is hard-coded one thing you might do is accidentally push it to a public git repo and right this very moment there are scraper Bots out there watching every git repo for exposed API keys to exploit problem number two is that it makes key rotation more difficult generally production app should rotate API Keys every 30 to 90 days but a high-profile app like the R1 where it's known that people are actively trying to reverse engineer it could be even more paranoid and rotate their keys every week or so and this process can be automated with zero downtime there's really no excuse another reason you don't just hard code is that for a key that's sensitive it should also be encrypted tools like AWS Secrets manager offer multip layers of protection so even if someone gets access to your server they still shouldn't be able to get the API key and even if someone does try to get access to it those requests are logged which would immediately identify the leaker so rabbit management could then put cyanide in their soy latte now if you own the rabbit R1 there is a recommended solution and that is to douse it in gasoline apply a flame to it and Chuck it in the cola super deep B hole this has been the code report thanks for watching and I will see you in the next one