Hey friends, let me start by saying - I’m actually really excited about Rabbit’s new r1 device. The idea of having an AI assistant and image analyzer in a portable little “Pokedex” is extremely cool. And being able to connect it to services like Midjourney for AI art generation and Spotify for music? Awesome!
But here’s the thing that has me a bit concerned. Instead of using a nice secure method like OAuth to link accounts, the r1 has you log into services through VNC in their portal.
Don’t get me wrong, I love the convenience of being able to connect applications to an AI device. But having it snapshot your credentials or session data is… not great from a security standpoint.
Here’s why:
- You’re effectively logging into someone else’s computer (the VNC machine) with your account info so Rabbit’s staff could potentially access and abuse your credentials or account data to those accounts
- If there’s a keylogger on those VNC machines, they could also harvest login details for accounts you access through login-with-Google/Facebook/etc.
- If an attacker got cross-user access to the VNC machines or if they aren’t properly encrypting the creds, it’s 1 entry point to then access everyone’s accounts.
Maybe I’m just being paranoid, but giving a third-party that level of access seems really risky to me. Especially when OAuth and other secure auth methods exist.
Now I’m not saying Rabbit has bad intentions here. I think they needed to get the product out the door. And some services don’t offer service accounts, API keys, or Oauth grants. But this VNC login setup introduces some serious potential vulnerabilities that concern me.
If you’re still intending to use the service, be cautious about what accounts/services you connect through the VNC portal and consider setting up a second account for this specific use-case.
Honestly, this whole ordeal is exactly why I think we really need innovation in the auth industry for AI agents.
What are your thoughts? Am I being too cynical here or do you share the same security concerns? Let me know by hitting me up on X/Twitter.
- Joseph
Sign up for my email list to know when I post more content like this.