Clicking the version number can get free AI access: Xiaomi's new input method explicitly exposes the ByteDance Doubao model key

According to 1M AI News monitoring, the newly released system input method by Xiaomi’s MiClaw team has a serious security oversight. Netizens’ tests found that you only need to wildly click the input method’s version number to open the debug page. On the page itself, the API call address, API Key, model provider, and model name for the AI service are directly exposed, and all of them are written in plaintext in the code.

The leaked API address points to Ark interfaces on Volcano Engine, ByteDance’s cloud services platform. The model used is doubao-seed-1-6-lite-251015 from the Doubao series. From the prompt text, the AI feature is used for post-processing after voice input; it corrects typos and grammar errors in the speech recognition text and adds punctuation. Netizens confirmed through testing that the key is genuinely valid and can be called directly from an external platform, and Xiaomi is suspected to have already replaced the key.

Decompiling the code also revealed engineering quality issues: developers used a pattern like if (“a hardcoded string”.length() > 0) to determine whether an always-true hardcoded string is non-empty. This kind of code wouldn’t appear in any normal code review process.

In addition, in code submissions for Xiaomi’s open-source project mone on GitHub, it was also found that the API key was written in plaintext for Moonshot (the dark side of the moon). The submission time was January 2025, and no change records have been seen since then.