Rabbit r1 secretly kept user data that could not be deleted


Rabbit, the developer of the viral pocket companion r1, has revealed the device stored user data that could be seen by someone else.

The company said r1 logged text-to-speech replies and device-pairing data “directly” to the device storage – something it revealed it was not aware of until last week. The flaw means that the data could be exposed to third parties if the device was stolen, lost, or sold.

“If a customer sold their device after using it, or if a device was lost or stolen, the new owner could potentially jailbreak the device and gain access to those log files,” Rabbit said.

ADVERTISEMENT

Users were not informed that their data, such as chats or pictures, was stored on the device and had no way to erase it. Rabbit said it “became aware” of the problem on July 10th and took steps to resolve the issue.

Following an automatic software update, pairing data will no longer be logged to the device. A “factory reset” option is now also available via the settings menu and will allow users to erase all data from their r1 before transferring ownership.

Rabbit said it will reduce the amount of data stored on the device and only use pairing data to trigger the actions instead of also logging it into r1’s “rabitthole journal.”

The company said it had “no indication that pairing data has been abused to retrieve rabbithole journal data belonging to a former device owner.”

“In light of this potential risk, and to prevent similar issues in the future, our team is performing a full review of device logging practices to ensure that they align with the standards we’ve set in other areas,” it said.

Rabbit’s AI assistant was launched to great fanfare in March earlier this year, but soon faced a wave of negative reviews, including criticism that it was “just an Android app” and concerns about its security.

ADVERTISEMENT