From Archiveteam
Jump to navigation Jump to search
Xuite 隨意窩
Xuite logo
URL https://xuite.net/
Status Offline
Archiving status Partially saved
Archiving type DPoS, ArchiveBot
Project source xuite-grab
Project tracker xuite
IRC channel #sweet (on hackint)
Data[how to use] archiveteam_xuite

Xuite (pronounced "sweet") is a Taiwanese blog website and social networking service operated by Chunghwa Telecom, founded in 2005.

Xuite offers blog, photo album, and vlog services until the website shutdown on 2023-08-31. All servers of Xuite stop working at 14:00 (UTC+8).




感謝您長期以來對Xuite隨意窩服務的支持,「Xuite 隨意窩」是許多人曾經的青春日記,也是現在進行式的樂活人生筆記。惟考量現今社群使用習慣改變,為使資源做更有效運用,Xuite隨意窩將於112年8月31日終止服務,並刪除網站全部資料。自112年4月6日起,我們提供所有 Xuiter(會員)後續處理服務,請注意以下關站時程,建議您盡早進行資料備份下載與部落格搬家等相關作業。

Closing schedule

Phase 1: April 6th 10:00 UTC+8 ~ May 1st 10:00 UTC+8, 2023

  • The website functions normally.
  • Data backup and download functions are provided for the members.

Phase 2: May 1st 10:00 UTC+8 ~ August 31st 14:00 UTC+8, 2023

  • Stop the opening of new member registration.
  • The website enters read-only mode, and the management console will be closed.
  • Members can browse the public webpage normally but cannot enter the management console to add, modify or delete the contents.
  • Only data backup and download functions are provided.
  • Force close several types of blog sidebars to protect the website content from crawlers [1].

Phase 3: August 31st 14:00 UTC+8, 2023

  • The website is closed and cannot be accessed.
  • Members cannot backup or restore their data. All data will be deleted.


The following domains are currently functional:

  • xuite.tw
  • xuite.net
  • api.xuite.net (certificate was expired since 2023-05-19)
  • avatar.xuite.net
  • blog.xuite.net
  • events.xuite.net
  • img.xuite.net
  • m.xuite.net
  • wms.map.xuite.net
  • my.xuite.net
  • pic.xuite.net
  • photo.xuite.net
  • qa.xuite.net
  • s.blog.xuite.net
  • s.photo.xuite.net
  • town.xuite.net
  • vlog.xuite.net
  • *.xuite.com (alias of *.xuite.net)

The following domains host user-generated contents:

  • [0-9a-f].blog.xuite.net
  • [0-9a-f].mms.blog.xuite.net (suffering from invalid certificate common name)
  • [0-9a-f].photo.xuite.net (suffering from invalid certificate common name)
  • o.[0-9a-f].photo.xuite.net
  • [0-9a-f].share.photo.xuite.net
  • [0-9a-f].mms.vlog.xuite.net

The following domains redirect the pages elsewhere:

  • event.xuite.net
  • roomi.xuite.net
  • vip.xuite.net

The following domain always returns HTTP 404:

  • vote.xuite.net

The following domain was down, and the redirection should be handled specially:

  • redir.xuite.net

Site structure

Assuming all the numeric IDs are incrementing, there are about 51M accounts, 6.1M blogs, 591M blog articles, 20.6M albums, 1262M photos, and 33.2M videos or audios on Xuite in the end.


Each member has a user_id in the regex form of [A-Za-z0-9._]{1,20} and one or more numeric serial numbers (sn). Multiple serial numbers may correspond to the same user_id, possibly due to account merger or user_id takeover.

It seems that newly registered Chunghwa Telecom member will be automatically assigned a Xuite account chttw_[0-9]{10}, so the serial number keeps growing after the read-only phase.

The currently known user serial number ranges are 10000054~30399438, 231366307~261267271, 280000170~281076360.

The user profile service My窩[2] has been terminated since 2021 [3]. Right now it is not possible to access the user friend list through the webpage without using the API.


A member can have multiple blogs. Each blog has a custom alphanumeric blogUrl / blog_name and a globally unique incremental numeric blog_id. blogUrl was editable after blog creation, before read-only phase. Malicious blog owners were able to bypass front-end JavaScript checks and submit malformed blogUrls, making their blogs inaccessible.

Each article has a globally unique incremental numeric article_id, not exceeding 590788564.


Each album has a globally unique incremental numeric album_id.

Each photo has a numeric position number (serial) in the album and a globally unique incremental numeric photo_id.


Each video or audio has a globally unique incremental numeric MEDIA_ID (not exceeding 33178667), and a FILE_NAME in the regex form of (?:[A-Za-z0-9]{31}|[A-Za-z0-9]{6})-MEDIA_ID\.flv in Base64 encoding forms the video URL.

Members can create directories to categorize media they uploaded, and each media cannot belong to more than one directory [5]. Each directory has a globally unique incremental numeric dir_id.

Members can create playlists to categorize any media on Xuite since 2015 [6]. Each playlist has a globally unique incremental numeric plid.

Flash-based creations

Members used to be able to embed Flash gadgets in blog sidebars or articles. Although these gadgets are deprecated [7][8], the configuration XML files, images and audios shown in FlashVars are archivable.

If http://c.blog.xuite.net/cf/7b/11732000/blog_698/mtv/4711036/flash_config.xml (occasionally) redirects to the forbidden page https://my.xuite.net/error.php?ecode=403, there is an alternative URL https://blog.xuite.net/_users/cf/7b/11732000/blog_698/mtv/4711036/flash_config.xml .

In articles

In blog sidebars

URL shortener

Web page visitors can use the URL shortener by clicking the "短網址" button in the upper right corner of the website toolbar [9].


Other subdomains consists mostly of static content, which has been partially saved by Wayback Machine:


Xuite Photo Feed API

The following method returns a JSON-encoded album list of up to 15 albums for the user [10].

The following method returns a JSON-encoded photo list of the album [11].

Xuite API

Members used to be able to apply for Xuite API keys since 2011 [12]. Although new applications were later closed, existing API keys can still be used.

All requests should be accompanied by a signature api_sig derived from the API key and the corresponding 10-digit secret key, but methods with "public" property do not require Oauth 2.0 Authorization from the user.

The signature generation formula is md5(<secret key> + <concatenated parameter values sorted by parameter names>) [13].

For example, if the API key is 500e40b862395d8a177d402d43cee9db, the corresponding secret key is 0123456789, and the query parameters are api_key=500e40b862395d8a177d402d43cee9db&method=xuite.photo.public.getPhotos&user_id=photo&album_id=4286795&pw=&start=0&limit=21, the signature should be md5(01234567894286795500e40b862395d8a177d402d43cee9db21xuite.photo.public.getPhotos0photo) = afc87f038f0c538677609eca6b1e7e88.

Non-public APIs

Some methods are designed to be called by AJAX or Flash. These methods do not require the API key.

User information

Friend list

Similar to Wretch, the friendship of Xuite is directional. Username discovery can be performed in two directions.

Keyword search

The following methods are derived from the Android App that were on Google Play [14].

SQL wildcard characters take effect in the keyword kw.


Album photo list

The following method derived from https://blog.xuite.net/_service/swf/slideshow.swf returns an XML-encoded list with album thumbnail and photo size. It uses a 10-character check key that is affected by the day of the week.

Media source info

The following methods return an XML-encoded media source info by providing the Base64-encoded MEDIA_ID solely. The FILE_NAME and owner's user_id can be derived from the returned Base64-encoded flv_src.

Media playlist

This API cannot infer the owner of the playlist.


External links