blog.barracuda.com Open in urlscan Pro
4.234.25.19  Public Scan

Form analysis
1 forms found in the DOM

GET https://blog.barracuda.com/search

<form method="GET" class="cmp-search-box__form" action="https://blog.barracuda.com/search">
  <input class="cmp-search-box__form__input" type="search" name="searchTerm" aria-label="Search for" value="" data-cmp-hook-header="searchInput">
  <a href="#" class="cmp-search-box__form__search-btn" aria-label="Search" data-cmp-hook-header="searchSubmit">
        <span class="cmp-search-box__form__search-btn__icon"></span>
    </a>
</form>

Text Content

 * Blog Home
 * Ransomware Protection
 * Research
 * AI and Security

 * Blog Home
 * Ransomware Protection
 * Research
 * AI and Security

Type a keyword and press enter to search


API KEYS, API KEYS, WHEREFORE ART THOU ALWAYS LEAKING?

Topics:
Jul. 3, 2024
|
Stefan van der Wal
Post
Share
Share
Subscribe
Post
Share
Share
Subscribe

Yes, we just realized that wherefore means why, not where. Don’t judge. :)

The rabbit r1 API key leak is the latest in a series of leaks that show that API
security is still in its infancy. It is also one of the newer forms of
credential theft and Account Takeover (ATO). When used in an attack, an API key
provides access to troves of data that are easily consumed in large quantities.
This type of attack is a high-impact security event.


WHAT IS THE RABBIT R1?

The rabbit r1, also called the ‘r1’, is meant to be a virtual assistant that
requires minimal input to get the desired result. This pocket-sized artificial
intelligence (AI) gadget is like a smartphone, but there are no apps for you to
open and navigate.  If you’d like to order an Uber or play music, just tell the
r1. The device interacts with your accounts and services in the background, but
you won’t see any of that action on your r1 device. Once you’ve configured the
rabbit r1 backend to access your accounts, you can just talk to the device to
access those services.

 

Trademarked rabbit logo

The rabbit r1 pocket companion

The device gets mixed reviews on performance, but CEO Jesse Lyu claims to have
sold 130,000 of these devices as of June 2024. If every device is configured to
access Uber, Spotify, DoorDash, and other supported services, every device will
have access to multiple user accounts.


SO, WHAT HAPPENED?

On May 16, 2024, a group of researchers/hacktivists called ‘rabbitude’
discovered hardcoded API keys in the rabbit r1 codebase. In simple terms, an
application programming interface, or API, facilitates interaction between two
applications. APIs allow rabbit r1 to communicate with the supported apps that
the user configures. API keys are unique identifiers used to authenticate the
user or application trying to access the API. When the hacktivists found the
hardcoded API keys, they were able to gain access to these third-party
platforms:

 * ElevenLabs (for text-to-speech)
 * Azure (for an old speech-to-text system)
 * Yelp (for review lookups)
 * Google Maps (for location lookups)

The access provided by the API keys varied, but at least one gave full
privileges to ElevenLabs. This key would allow threat actors to get histories of
all past text-to-speech messages, add custom text replacements, and more.  It
could even be exploited to crash the rabbit OS backend and make all r1 devices
unusable.


WHAT IS THE BIG PROBLEM?

While all devices, applications, and companies are susceptible to
vulnerabilities and exploits, the use of hardcoded keys has been a known bad
practice for decades. It is a major security issue to an extent that it has been
published as Common Weakness Enumeration (CWE) 321. This is not an unknown
security issue. Hardcoded keys or credentials have been responsible for the
compromise of everything from routers to switches to massive software platforms:

 * Twitter API keys were leaked through thousands of mobile apps, allowing
   attackers to access various categories of sensitive information.
 * Toyota inadvertently leaked keys in source code uploaded to GitHub, which
   exposed over 296,000 customer records with email addresses.
 * Uber’s systems contained a hardcoded admin account that gave an attacker
   access to the company’s infrastructure and network. (CWE-798 addresses
   hardcoded credentials)

As an industry, IT seems to be bent on repeating the mistakes from the past.

Security standards for IT development and security warn against this practice
for good reasons. If a hardcoded key is found, it may be difficult to remove
without breaking the API. More importantly, if the key falls into the wrong
hands, as it did with rabbit r1 it can be used for nefarious ends.

APIs are the highways of IT, allowing us to exchange large amounts of
information at the push of a button. They are a strict necessity for proper
automation, and as an industry, we would not be able to move forward without
them. Their sensitivity and the impact of security issues force us to take a
step back and analyze how we build them and how we interact with them.


WHAT'S THE SOLUTION?

There are no one-size-fits-all solutions in cases such as these, but there are
some best practices:

 * Do not ever use hardcoded credentials in software.
 * Have a comprehensive application security strategy effective both during
   build and run.
 * Review code and security practices at a regular pace.
 * Learn from the past. Many security mistakes have already been made
   ad-nauseum.


BARRACUDA CAN HELP

Barracuda Application Protection is an integrated platform that combines a
comprehensive set of interoperable capabilities together to ensure complete
application security, including protection for the OWASP Top 10 Web and API
threats. Visit our website for details.

 

 

Stefan van der Wal

Stefan van der Wal is a Consulting Solutions Engineer, Application Security at
Barracuda. Connect with him on LinkedIn here.

Related Posts:
5 ways AI is being used to improve security: Automated and augmented incident
response
5 ways AI is being used to improve security: Email security
America’s cyber defense agency sets its 2024 priorities. Should they be yours?
5 ways AI is being used to improve security: Threat detection and intelligence
Search the blog

Popular Posts

Who is behind Cactus ransomware? LockBit to FBI: 'You can't stop me' How
attackers weaponize generative AI through data poisoning and manipulation
ALPHV-BlackCat ransomware group goes dark 5 Ways cybercriminals are using AI:
Malware generation

Topics

13 Email Threat Types Ransomware Protection Microsoft 365 Email Protection
Network Protection Application and Cloud Protection Data Protection and Recovery
Healthcare Education Industrial and IoT Security Managed Services Digital
Transformation Barracuda Engineering

Resources

Free Email Threat Scan Cyber Liability Insurance Guide Careers at Barracuda
Barracuda Engineering Barracuda News Room

Subscribe to the Barracuda Blog.

Sign up to receive threat spotlights, industry commentary, and more.



Sign up to receive threat spotlights, industry commentary, and more.

Get all the latest news, research, and analysis delivered right to your inbox.


© 2024 Barracuda Blog
 * Email Protection
 * Application Protection
 * Network Protection
 * Data Protection
 * Managed XDR




COOKIE ACCEPTANCE

We use cookies to make our website work. We and our partners would also like to
set optional cookies for analytics purposes, as well as to measure and improve
the performance of the website, and to remember your preferences and provide you
enhanced functionality and personalization. Click on the Cookies Preferences
button to find out more and set your preferences.

Click on the Accept All button if you consent to the use of all such cookies. If
you choose to allow the use of such cookies, you will be able to withdraw your
consent at any time. Please refer to our Privacy Policy to better understand
your rights.Privacy Policy
Accept All Cookies
Cookie Preferences



HOW BARRACUDA USES COOKIES




YOUR PRIVACY

YOUR PRIVACY

Barracuda Sites may request cookies to be set on your device. We use cookies to
let us know when you visit our Barracuda Sites, to understand how you interact
with us, to enrich and personalize your user experience, to enable social media
functionality and to customize your relationship with Barracuda, including
providing you with more relevant advertising. Note that blocking some types of
cookies may impact your experience on our Barracuda Sites and the services we
are able to offer.


 * STRICTLY NECESSARY COOKIES
   
   STRICTLY NECESSARY COOKIES
   
   Always Active
   Strictly Necessary Cookies
   
   These cookies are necessary for the website to function and cannot be
   switched off in our systems. They are usually only set in response to actions
   made by you which amount to a request for services, such as setting your
   privacy preferences, logging in or filling in forms. You can set your browser
   to block or alert you about these cookies, but some parts of the site will
   not then work.


 * ANALYTICS COOKIES
   
   ANALYTICS COOKIES
   
   Analytics Cookies
   
   These cookies help Barracuda to understand how visitors to our pages engage
   within their session. Analytics Cookies assist in generating reporting site
   usage statistics which do not personally identify individual users.


 * PERFORMANCE COOKIES
   
   PERFORMANCE COOKIES
   
   Performance Cookies
   
   These cookies allow us to count visits and traffic sources so we can measure
   and improve the performance of our site. They help us to know which pages are
   the most and least popular and see how visitors move around the site. If you
   do not allow these cookies we will not know when you have visited our site,
   and will not be able to monitor its performance.


 * TARGETING COOKIES
   
   TARGETING COOKIES
   
   Targeting Cookies
   
   These cookies may be set through our site by our advertising partners. They
   may be used by those companies to build a profile of your interests and show
   you relevant adverts on other sites. They do not directly identify you, but
   are based on uniquely identifying your browser and internet device. If you do
   not allow these cookies, you will experience less targeted advertising.


 * FUNCTIONAL COOKIES
   
   FUNCTIONAL COOKIES
   
   Functional Cookies
   
   These cookies enable the website to provide enhanced functionality and
   personalisation. They may be set by us or by third party providers whose
   services we have added to our pages. If you do not allow these cookies then
   some or all of these services may not function properly.

Back Button


ADVERTISING COOKIES

Filter Button
Consent Leg.Interest
Select All Vendors
Select All Vendors
Select All Hosts

Select All



Clear Filters

Information storage and access
Apply
Confirm My Choices