Hey guys, I'm Jookia from the Facepunch forums. Specifically, the programming subforum of it. You can read about what happened here
, but I'll sum it up: Team Meat didn't keep their database login server side and restrict what users could do, and swift and shift AKA charliesome
found out the login details to the database (it's in the game's data files).
Unfortunately when he notified Team Meat
via Twitter, they replied as if this wasn't a problem, so he posted it on the forums to show this (we programmers find these kinds of things funny), and so a user by the handle of 'high' posted the full login details (charliesome hid them from his screenshots) since Team Meat wasn't going to do anything, and we all pretty much stared at the details wondering who would screw up the database, us being too polite to do that kind of stuff.
I spotted this
on Twitter, showing that Team Meat acted as if this wasn't a security hole. I personally took away from this (and I'm sure a few others did to) that Team Meat didn't care about people being able to screw over other players.
Then 'Parad0x0217' did what you're all concerned about
. Fortunately, 'high' (the guy who released the login details) had made a backup of the entire database earlier and uploaded it to the forum. I'm not sure if this was on purpose or because he tried after I failed at doing a backup myself before all this went down.
Anyway, we have the backups (they're publicly avaliable here
), so I guess we're in luck.
But the problem is that Team Meat doesn't actually seem to care that this was possible to do. This is a common thing, you may see it in the news with Microsoft Windows' zero day bugs, where Microsoft neglected fixing them until something bad actually happened.
Hopefully Team Meat will release an update with a more secure front which will limit what the user can do (possibly by a PHP API, I'm not sure), but the current way isn't the right way to do things.