xyzeva
@xyz3va
Followers
15K
Following
228
Media
78
Statuses
509
(un)professional hacker | part of https://t.co/aKL2j2fXq3 and https://t.co/JyJKHL5O9Y
she/her
Joined October 2023
yo guys i found a free google maps api key.
In my Uber clone example with Flutter and Supabase, I created a script using Claude to simulate a driver's movement!. It updates the ride status, and driver's position step by step to make it look like the driver is moving towards the customer, and then towards the destination!
33
325
8K
completely new discord account joins jailbreaking servers, posts this. domain isnt in anywhere in code
54
327
7K
gaining access to anyones browser without them even visiting a website (CVE-2024-45489).
121
636
6K
hi @rabbit_hmi, lets talk about you.- owning a (probably) illegal office.- calling us a group of state backed russian hackers.- lied about the LAM;. • being unaffected by captchas. • using vision. • backend not being hacked.- not giving refunds. thread.
52
291
4K
@westernunion2k hi, one of the researchers behind this. its worse then that. its not just plaintext passwords, its plaintext *bank* passwords.
13
47
4K
hi @rabbit_hmi, i think we should talk about you breaking the android license, censoring our research, lying to your community. thread.
29
219
3K
all rabbit r1 responses could be read by us for the past month and rabbit knew about it and did nothing to fix it.
31
211
2K
so, the rabbit R1 can run doom, but can the servers running the so-called "LAM" run doom?. in collaboration with @MarcelD505 and @schlizzawg we found out and it turns out it can.
33
210
2K
be me, reverse cloudflare nameservers of find the cloudflare account also owns which was running a ctf hosted by @HashtagCyber (Matt Domko), the head of security (but rather the only security person! at @rabbit_hmi).
6
21
2K
i don't know what this was for but it was likely to get our ips. it completely flopped. nice try though.
6
6
2K
bet 100$ that the data isnt actually end to end encrypted because no way anyones doing ai processing on that small of a device.
36
39
2K
rabbit didn't reset their api keys properly and we can read/write all emails.
12
77
2K
in addition to the 2 part series of @coffeebreak_YT that i helped with. heres how rabbit:. - didnt pay their old developers. - stole code (and broke licenses). - had extremely bad security practices. - more technical proof that lam doesnt exist. thread.
8
111
2K
@HashtagCyber was also in another group trying to reverse the r1, spying on them. really. childish. behaviour.
8
6
1K
hey @jessechenglyu! you should stop making legal threats to the people making your product actually functional!. as much as you would try, jailbreaking or publishing fw dumps is not illegal. shut the fuck up and actually improve your device instead of putting alts in rabbitude.
29
85
1K
the rabbit reverse engineering project is now public:. we are planning on:.- making a jailbreak.- making mods.- documenting the r1 internals.- . and more!. learn more here:
15
67
1K
since rabbit is using the android kernel, they must abide by the android kernel license which is GPL 2.0. GPL requires you to publish any changes you've made to the software, which rabbit has not. this is illegal. they must publish their changes to the kernel immediately.
10
21
1K
rabbit has also blocked the @coffeebreak_yt video link in their discord, and banned me. they also banned other researchers because of simply saying they worked with me. this isnt what a normal company would do if this was false information, and its extremely sketchy.
2
12
923
for reasons thatll be revealed soon please unlink all of your accounts from the rabbithole ASAP.
17
83
907
the LAM is also not an LAM, after reviewing the code that was left in this server, we have determined that there is no AI determining where to click, its instead just a hardcoded list of locations to type with which has been done countless times before.
20
55
883
rabbit has heavily obfuscated the latest launcher apk file. while their security lead saying that "modding is cool and fine!". thread
9
45
906
SCOOP: more info on @LinusTech account hijacking. after chatting with @luke_lafr for a bit, i got a copy of the website linus was sent to, and can confirm it is a normal phishing site with /reset/LinusTech which automatically fills the username and profile picture field
21
35
863
they also, banned me from the discord for providing proof that LAM does not use vision and is specific to applications. truly peak company, and not a grift at all.
5
8
740
the rabbit community manager, has been saying that there is nothing to worry about while actively dodging all questions asked about our research. and jesse is saying that the "haters" wont go away even if he proves it, and then continues to not prove it.
1
9
720
just spotted a really popular firebase app. fully owned in 3 minutes. and this is why you dont use firebase.
16
4
723
the @browsercompany was extremely nice to me while reporting vulns. while there was some issues with the bounty amounts initially, it was all fixed in the end. also, arc's new security bulletin includes a new high severity vuln by me!.
5
16
725
@ZoeMeetAgain_ sorry i shouldve clarified when i meant head of security i mean this is the only security person.
2
3
693
no thanks, ill just use cloudflare pages instead for my completely static site
16
7
685
rabbit has now revoked the elevenlabs api key breaking literally every r1, cause they forgot to update their key on the server.
7
24
675
so, remember how jesse said that the "LAM" wont be affected by captchas? that was also a lie. @jessechenglyu being like "oh nooo our product is bad but dont talk about it it makes me sad"
3
12
671
fun fact! the rabbit inc corporation is unable to operate within CA. because its suspended there!. guess where they have an office? california. this is, probably illegal (im not a lawyer idk)
4
14
651
alongside that, the so called "rabbit OS" thats running in the cloud, isn't a custom operating system. their servers just run Ubuntu with custom applications on top of it.
7
16
590
@jessechenglyu in his infinite wisdom called us a group of "professional state-backed russian hackers" that "shipped it overseas to russia (lie)" and "desoldered the r1 (lie)" to hack it. sadly, we don't have a recording of this, but it happened in the latest Q&A stage in discord.
2
5
526
paypal has not fixed a critical vuln being exploited ITW for 2 weeks. this is a vulnerability allowing anyone to do chargeback fraud on any paypal account. this was found being exploited on @PirateSoftware. i will release the details tommorrow if paypal takes no action.
6
52
477
hey hursh! arc browser in the latest release still has these features, but it no longer even shows up in MITM software.
3
21
481
the way all of this was achieved was the way the R1 communicated with the so-called connected apps, the server would expose the entire screen (through VNC).
3
7
455
by the way, this isn't running on the connections log-in machine, but rather the one tasked for ordering ubers, spotify and other stuff.
8
4
446
in @fireship_dev's new video, he showed how simple of a rule could fix the issue in arc . except this security rule wouldnt work, because on create, there is no restriction for the user on create, meaning any user can *create* a new boost with another users id with this rule
14
10
444
i now own a site documenting the impact of the crowdstrike outage. please reply with things not already added and i will add them!.
48
49
426
read my previous threads on rabbit:. and join the rabbitude discord:
in addition to the 2 part series of @coffeebreak_YT that i helped with. heres how rabbit:. - didnt pay their old developers. - stole code (and broke licenses). - had extremely bad security practices. - more technical proof that lam doesnt exist. thread.
0
7
422
person with their revenue in their twitter bio realises they cant just ship insecure products and proceeds to do it anyway because "ship fast".
I was a virgin, an hour ago. I've never blocked anyone after 3 years on Twitter. But my feed in the past 30 days is made of developers who think the world can be fixed with more tests. Dozens of people try to screw my sites every day. And they claim a CRITICAL VULNERABILITY.
12
12
428
rabbit broke their email verification system. cause they forgot to update the key again. lmao.
5
0
413
and now theyre delaying refunds aswell! guess they got overwhelmed now, because previously there was "very few"
6
5
397
he also said in the same q&a session that my tweet about breaking into the "LAM" boxes ( was fake, which is just a lie. again, if anyone has a recording of the q&a, please dm me.
so, the rabbit R1 can run doom, but can the servers running the so-called "LAM" run doom?. in collaboration with @MarcelD505 and @schlizzawg we found out and it turns out it can.
2
6
388
what the actual drama farm is this post. giving someone your email isnt getting doxxed, they just probably enabled it to prevent spam 😭.
Godot are trying to dox users by forcing them to send their gmail email when applying for a unblock
18
8
345
there is technically a precondition but i'd argue its easily obtainable.
2
0
345
blocky web.a userscript to bring back the boxiness of the old web for *any* website.
8
29
336
since the xz project is locked i have a perma unread notification on github that i cant read
3
6
323
@theJoshMeister @browsercompany @arcinternet no, it is specific to them, i'll have a full writeup in a bit.
1
0
320
if you think this is inappropiate behaviour and you work at any of these following companies;.- Rabbit (PLEASE CONTACT ME).- Perplexity.- Anthropic.- ElevenLabs.- OpenAI.- or anyone who partners with rabbit. contact me via dms, signal (xyzeva.66) or email xyzeva@riseup.net.
2
8
302
im sorry to inform you all that i am not the person who found the alleged video game related 0day.
5
0
295
to the person that sent me this on throne, i have your ip, hope you have a good day. sending death threats to people isnt okay
13
3
275
HOW IS ANY OF THIS OUT OF CONTEXT. WHAT THE HELL ARE YOU ON ABOUT. FUCK YOU.
4
3
274
10.0 . AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:H/MI:H/MA:H.
23
4
261
yes! its true, not only did rabbit steal code they also broke licenses alongside it!. you know the rabbit keyboard? thats actually an illegal fork of anysoftkeyboard.and the entire recording functionality of the rabbit is stolen off of github!
2
6
246
i wish i got job offers from sec/pentesting companies. its like ai startup that, other tech startup that, i wanna be in a workspace with alike people instead of just tech people.
8
4
243
Can I ask why @arcinternet on the production DMG has ~100MB of 0xFF bytes, which is commonly used by malware to evade antivirus scans by artificially increasing the PE size?. Really fucking weird.
9
5
241
the site is sort of crafty and it uses api endpoints to check if it needs more information (email, etc.) to display additional popups, there is a spelling mistake in the 2fa field aswell
2
2
237
also if anyone has a stock r1 on latest OTA and is willing to potentially brick it, dm me.
5
3
235
just to be clear, this is in no way "world ending" (*cough* evilsocket), its just the funniest and wildest thing ive done so far. ive had many 10.0s before, they just werent as interesting as this one.
4
0
228
after disputing that case, paypal said to @PirateSoftware that its invalid because the item doesn't have seller protection. except the vulnerability allows you to create fake items that don't have seller protection. so there is no way for it to have seller protection.
3
7
220
the rabbithole for the rabbit r1 had a vulnerability allowing anyone to view any audio recording, picture, or asset saved on your journal. this is now patched. this is unrelated to my disclaimer saying to unlink your rabbithole accounts, stay tuned for updates on that though.
0
5
215
hey, bit of an unusual post but im currently looking for housing in turkey. ideally a friends house or a friend of a friends house. this is an emergency as i do not feel safe in my current home right now. please dm me on twitter or on signal (xyzeva.66) and we can discuss.
12
74
218
lets talk about bug bounties and security. from shitty triages to employees stealing reports.
2
10
214
as mentioned in @coffeebreak_YT's video, the code of the rabbit's backend is extremely fragile and we could theoretically get access to every users conversation. this is extremely bad for obvious reasons.
1
2
216
according to someone familiar with the GAMA team and the partners, most developers did not get their full amount paid, and were owed in total $300,000 USD.
1
1
200
if lam existed (it does not); the rabbit would need a complete rewrite to handle functionality. currently, its very specific. spotify uses webrtc, uber has custom sockets, etc. this can be seen in the apk.
5
4
193
@pseudoearly @westernunion2k the spin win chance was set to 0% in their own admin panel we gained access to.
2
1
184
oops. turns out you forgot to hide the secondary telemetry program you added. (key in user is the non-anonymous user id, linked to your email)
2
2
181
here is what a class looks like now. all this is doing is in fact, making modding harder, so in fact a person representing the company is lying out of their asses. we also have internal confirmation that this exact same person planned this in advance. (just to prevent modding)
2
0
180