Rabbit hole full of hardcoded credentials
This week I noticed an article by the rabbitude team titled “Rabbit Data Breach: All R1 Responses Ever Given Can Be Downloaded”, followed a day later by Rabbit Failed to Properly Reset All Keys: Emails Can Be Sent from Rabbit.tech Domains.
So I decided, why not, let’s jump into this rabbit hole and find out what’s going on. Yeah, did you see what I did right there?
TL;DR
Rabbit Data Breach Exposes Critical API Keys and User Data
Rabbit Inc. has been aware of a security breach involving their ElevenLabs TTS API key for a month but failed to take action. The breach allows access to personal data, control over R1 devices, and the ability to alter responses. Despite Rabbit’s claims of no compromise, they revoked some keys following exposure but missed a crucial SendGrid key, risking email data and user privacy.
Security as an Afterthought
Even though the Rabbit R1 doesn’t provide anything new that your phone might not already do, it is mind-boggling that a company at this scale could hardcode credentials in their code.
It makes you think, wow… Clearly, security was an afterthought here. Even after this was brought to their attention, it was ignored, and the credentials weren’t rotated.
Even if the code is private, it might still be leaked.
What Can We Learn from This?
Well, obviously, don’t ever hardcode credentials. Looking at Common Weakness Enumeration (CWE-798: Use of Hard-coded Credentials), how do you prevent this from happening?
| Best Practice | Description |
|---|---|
| Avoid Hardcoding Credentials | Never embed credentials directly in your source code. Instead, use configuration files, environment variables, or secure storage solutions. |
| Use Secure Storage | Store credentials in secure storage solutions such as secret management tools (e.g., HashiCorp Vault, AWS Secrets Manager, Azure Key Vault). |
| Environment Variables | Use environment variables to manage credentials. Ensure they are securely set and accessed only by authorised components. |
| Encryption | Encrypt sensitive data both at rest and in transit. Use robust encryption standards and ensure keys are managed securely. |
| Access Controls | Implement strict access controls to limit who and what can access credentials. Follow the principle of least privilege. |
| Regular Rotation of Credentials | Regularly rotate credentials to minimise the risk of compromise. Automated tools can help manage and rotate credentials efficiently. |
| Code Reviews and Audits | Conduct regular code reviews and security audits to identify and remediate any instances of hardcoded credentials. |
| Static Analysis Tools | Use static analysis tools that can scan your codebase for hardcoded credentials and other security vulnerabilities. |
| Education and Awareness | Train developers and engineers on the importance of secure coding practices and the risks associated with hardcoded credentials. |
| Incident Response Plan | Have an incident response plan in place to quickly address and mitigate any exposure of hardcoded credentials. |
Also, hardcoded credentials were on CWE VIEW: Weaknesses in the 2023 CWE Top 25 Most Dangerous Software Weaknesses list.