I'm pretty sure if it wasn't for the Humble Indie Bundle requiring a Linux port, and Icculus doing it for them, we probably wouldn't be able to play.

The 'hackers' were under the impression that Team Meat were simply ignoring the bug. At no point did Team Meat say that the bug was on the radar, going to be fixed, or tell people to leave it alone, or that the developer was away for holidays. Maybe this was a communication fault?

However, I do doubt this story. Super Meat Boy has had the feature since May 2011 (according to Wikipedia), the developers have had plenty of time to fix the gaping security hole, if it was on their radar.

The 'hacking' had no overall negative effect, and I see no reason for the 'hackers' to feel bad if it means that Super Meat Boy will end up as a better and more secure product.

[Do something that will force them to fix it.]

While I respect Edmund's alleged (there's no source that I can find) response, it doesn't actually tell us anything about Team Meat's position on this event. He goes on to say that it ruined the game's experience for the players and that he wants to make friends, none of those things are relevant. IMHO it seems to play the sympathy card and people's sympathetic emotions.

I'd like to stress that a few hours before the public knowledge of the hole was revealed, the guy who found it tried to inform Team Meat of the problem so it could get fixed, but Team Meat acted as if it was a feature, leaving a few options for the 'hackers':

• Don't do anything, and hope that nobody else finds the hole and exploits it for evil purposes.
• Harass Team Meat until they agree to fix the hole, or get ignored.
• Do something that will force them to fix it.

I bolded the option that the 'hackers' took. I personally can't think of any way to do this in this case without hurting the user, which justifies it in my mind. The important thing is that now the developers have to fix the problem.

As for the exploit, it's not like the hackers found some bizarre route or bug like with firmware hacking on consoles, the login details were in the executable. Team Meat trusted the user not to go poking around in it, and that only the game itself would use the details. There was no security at all. As another user in the Facepunch thread, the way they designed the system is one of the most insecure ways to do this that it wouldn't of even popped in to his head as an idea. I don't think it would even pop in to my head, let alone have myself consider it.

Another small thing that wasn't really revealed was that setting the name of a level to an empty string (I think that's what it was), would cause the game to crash, suggesting an actual security exploit. If that's the case, then sophisticated attacks could make their own level, quietly experiment for a few days and possibly find a way to inject malware or viruses in to the computer through a level name.

I'm unsure if you can currently (I'm just a user), but the technology exists to do this kind of thing, possibly in the future: Steam supports OpenID and an API to check which user has games. All Team Meat would really need to do is have you log in to their site using Steam and check if you bought the game on Steam, and let you download Super Meat Boy for Linux.

Hey guys, I'm Jookia from the Facepunch forums. Specifically, the programming subforum of it. You can read about what happened here, but I'll sum it up: Team Meat didn't keep their database login server side and restrict what users could do, and swift and shift AKA charliesome found out the login details to the database (it's in the game's data files).

Unfortunately when he notified Team Meat via Twitter, they replied as if this wasn't a problem, so he posted it on the forums to show this (we programmers find these kinds of things funny), and so a user by the handle of 'high' posted the full login details (charliesome hid them from his screenshots) since Team Meat wasn't going to do anything, and we all pretty much stared at the details wondering who would screw up the database, us being too polite to do that kind of stuff.

I spotted this on Twitter, showing that Team Meat acted as if this wasn't a security hole. I personally took away from this (and I'm sure a few others did to) that Team Meat didn't care about people being able to screw over other players.

Then 'Parad0x0217' did what you're all concerned about. Fortunately, 'high' (the guy who released the login details) had made a backup of the entire database earlier and uploaded it to the forum. I'm not sure if this was on purpose or because he tried after I failed at doing a backup myself before all this went down.

Anyway, we have the backups (they're publicly avaliable here), so I guess we're in luck.

But the problem is that Team Meat doesn't actually seem to care that this was possible to do. This is a common thing, you may see it in the news with Microsoft Windows' zero day bugs, where Microsoft neglected fixing them until something bad actually happened.

Hopefully Team Meat will release an update with a more secure front which will limit what the user can do (possibly by a PHP API, I'm not sure), but the current way isn't the right way to do things.