Jump to content

Bilibili's back-end source code leaked with possible user login details

BananaInSandals
By BananaInSandals
in Tech News
 Share
Posted

Yahoo! Taiwan esports (in Chinese)

technode (summary in English, lacks a lot of detail)

Weibo post cited in technode's article with screen shots of (censored) leaked username and password (in Chinese)

 

Summary from technode:

Quote

A repository containing a large number of user names and passwords for Chinese video-streaming site Bilibili was found on open-source software development platform GitHub

The GitHub repository had amassed at least 6,000 stars, a tool for users to bookmark a post, before it was taken down. 

Bilibili responded on Monday that the company had reviewed the leaked codes and found that they were from an older version of the website

“We have taken defensive steps to ensure the accident won’t compromise user data security,” said the company

 

bilibili's official response:

35e83fb563ac93702af88547a106ca30

Quote

Translation:

Regarding to "bilibili's partial source code leak" incident statement

Today, we saw part of bilibili's source code has been circulated online. After internal emergency investigation, we have confirmed that those codes are of an older historical version. We have executed some active defensive measure to ensure that this incident will not affect our website and user data's safety.

We have reported the incident immediately and will investigate the source of the leak. Furthermore, bilibili has always has an official source code github. We welcome users who are interested to visit:

https://github.com/bilibili

 

Sample of leaked username and password (censored by poster):

006ehHKqgy1g2cdmcfeaoj30ao03r753.jpg

 

Funny side stuff: a list of censored words :P 

8a93e9d66ffa0b2fb620019327ecce38

Quote

Some of the words' translation (which I think is interesting :P ):

Best actor Xi, Pussy, Fuck til cum, Xi Dada (nickname for President Xi Jinping), Apply for a real diploma, Peng Liyuan (Xi's wife), Sex/SexEd class, Mother Peng, ghost and animal gang rape, fuck me, fuck you, Emperor bun/bread (nickname for Xi, also has the meaning of Emperor idiot), fuck her

 

Rumours: some claims that bilibili is faking viewship, subscription number and gold coins due to the screen shot containing the phrases "作弊播放量" (cheating view number), "作弊收藏量" (cheating subscription number), and "作弊硬幣量" (cheating coin number), in one of the string array.

a20879b4554f0819a0f3ba9d365887f1

 

 

Personal thought:

LTT has been uploading onto bilibili with Chinese subtitles. If you're from bilibili, it might be a good idea to change your passwords just in case. Tho imo those are probably from ages ago when bilibili isn't that big yet. I highly doubt they're still using smtp host services from qq...

Also, keep your programmer employees happy. Rumors have it that this was leaked by a disgruntle (and dismissed) programmer from bilibili :P They can deal a lot of damages...

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
4 minutes ago, VegetableStu said:

come to linustechtups.com . we have cookies.

and shitposters... do we?

✨FNIGE✨

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
4 minutes ago, VegetableStu said:

cookies.

I see what you did there

CPU: i7-2600K 4751MHz 1.44V (software) --> 1.47V at the back of the socket Motherboard: Asrock Z77 Extreme4 (BCLK: 103.3MHz) CPU Cooler: Noctua NH-D15 RAM: Adata XPG 2x8GB DDR3 (XMP: 2133MHz 10-11-11-30 CR2, custom: 2203MHz 10-11-10-26 CR1 tRFC:230 tREFI:14000) GPU: Asus GTX 1070 Dual (Super Jetstream vbios, +70(2025-2088MHz)/+400(8.8Gbps)) SSD: Samsung 840 Pro 256GB (main boot drive), Transcend SSD370 128GB PSU: Seasonic X-660 80+ Gold Case: Antec P110 Silent, 5 intakes 1 exhaust Monitor: AOC G2460PF 1080p 144Hz (150Hz max w/ DP, 121Hz max w/ HDMI) TN panel Keyboard: Logitech G610 Orion (Cherry MX Blue) with SteelSeries Apex M260 keycaps Mouse: BenQ Zowie FK1

 

Model: HP Omen 17 17-an110ca CPU: i7-8750H (0.125V core & cache, 50mV SA undervolt) GPU: GTX 1060 6GB Mobile (+80/+450, 1650MHz~1750MHz 0.78V~0.85V) RAM: 8+8GB DDR4-2400 18-17-17-39 2T Storage: HP EX920 1TB PCIe x4 M.2 SSD + Crucial MX500 1TB 2.5" SATA SSD, 128GB Toshiba PCIe x2 M.2 SSD (KBG30ZMV128G) gone cooking externally, 1TB Seagate 7200RPM 2.5" HDD (ST1000LM049-2GH172) left outside Monitor: 1080p 126Hz IPS G-sync

 

Desktop benching:

Cinebench R15 Single thread:168 Multi-thread: 833 

SuperPi (v1.5 from Techpowerup, PI value output) 16K: 0.100s 1M: 8.255s 32M: 7m 45.93s

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
7 minutes ago, Jurrunio said:

I see what you did there

Ahhhh... Now I see what he did there

✨FNIGE✨

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Oh man whoever leaked this must have one hell of a grudge against the site

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Thanks for the reminder. I haven't seen any system messages on the site about the leak however.

Specs: Motherboard: Asus X470-PLUS TUF gaming (Yes I know it's poor but I wasn't informed) RAM: Corsair VENGEANCE® LPX DDR4 3200Mhz CL16-18-18-36 2x8GB

            CPU: Ryzen 9 5900X          Case: Antec P8     PSU: Corsair RM850x                        Cooler: Antec K240 with two Noctura Industrial PPC 3000 PWM

            Drives: Samsung 970 EVO plus 250GB, Micron 1100 2TB, Seagate ST4000DM000/1F2168 GPU: EVGA RTX 2080 ti Black edition

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
7 minutes ago, williamcll said:

Thanks for the reminder. I haven't seen any system messages on the site about the leak however.

its china, they censored it

MSI GX660 + i7 920XM @ 2.8GHz + GTX 970M + Samsung SSD 830 256GB

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
27 minutes ago, williamcll said:

Thanks for the reminder. I haven't seen any system messages on the site about the leak however.

They claimed that the leaked codes (and presumably the passwords as well) are "historical". I guess they don't think it's that big a deal. I'll admit those hard coded passwords sound a lot like testing accounts to me. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
Quote

 

Xi Dada

 

Kinky ( ͡° ͜ʖ ͡°)

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

Desktop Build: Ryzen 7 2700X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 48GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

In the DMCA notice [1], they said

Quote

such as secret key,database address,very important api key and so on

There doesn't seem to be any suggestion that I can find that any user credentials were leaked. Instead, the leak appears to just be the site's source code, which included credentials to identify Bilibili to other services, such as API keys and security tokens.

 

Although it's not clear where the leak has come from, this should be a reminder that you don't want to upload private credentials to source control, even if your repository is private, just in case someone clones the repository and leaks it. Ideally, you want to use something like AWS secrets manager, and other cloud platforms' equivalents, which keep the secrets accessible only to your application.

HTTP/2 203

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Tech News

×