lolcreds

Public credential defaults and exposure patterns for authorized security testing.

BigBlueButton

BigBlueButtoncollaboration3 credentials

Credentials3 documented
01

API Shared Secret

bigbluebutton / api-shared-secret

BigBlueButton API calls include a checksum computed with a secret shared with the server. BigBlueButton documents that third-party applications can make API calls if they have the shared secret and that end users should not have it.

generated on installsecretsecret value

Location

config file
/etc/bigbluebutton/bbb-web.properties, /etc/bigbluebutton

BigBlueButton API shared secret and override configuration

environment
BBB_SECRET, BIGBLUEBUTTON_SECRET
secret store

deployment vaults, Kubernetes Secrets, and cloud secret managers

source code

Greenlight config, API integration code, tests, and committed .env files

logs

bbb-conf output, API client traces, and setup logs

http response

administrative tooling output that prints API URL and secret

Notes

API shared secret exposure allows server-to-server API calls such as creating, joining, and ending meetings depending on endpoint access.

02

Meeting Attendee / Moderator Passwords

bigbluebutton / meeting-passwords

BigBlueButton create API can return or accept attendeePW and moderatorPW meeting passwords. The API docs mark these parameters deprecated when role is used, but they remain credential material in older integrations.

generated on installuser definedsecretpassword

Location

http response

create API XML responses containing attendeePW and moderatorPW

config file

LMS/plugin integration config, meeting creation scripts, and .env files

database

frontend or LMS database records storing meeting credentials

source code

API examples, tests, and committed integration scripts

logs

API request logs and LMS/plugin debug output

public interface
/bigbluebutton/api

BigBlueButton API endpoint accepting meeting password parameters

Notes

Moderator passwords can grant moderator capabilities for a meeting in integrations that still use password-based join authorization.

03

FreeSWITCH SIP Provider Credentials

bigbluebutton / freeswitch-sip-credentials

BigBlueButton customization docs show FreeSWITCH gateway configuration with username and password values for external SIP providers. These credentials enable telephony integration.

user definedsecretusername/password

Looks like

pattern
pattern

FreeSWITCH gateway password parameter in BigBlueButton telephony config

<param\s+name\s*=\s*"password"\s+value\s*=\s*"[^"]+"\s*/>

Location

config file

FreeSWITCH gateway XML, BigBlueButton override files, and deployment scripts

secret store

telephony provider vault entries and deployment secrets

source code

committed FreeSWITCH config and custom apply-config.sh scripts

logs

SIP registration logs and FreeSWITCH troubleshooting output

Notes

SIP credentials can allow registration or call routing through the configured telephony provider.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.