
Super Meat Boy leaves database wide open - llambda
http://forums.somethingawful.com/showthread.php?noseen=0&threadid=2803713&pagenumber=258#post398884189
======
charliesome
I should probably note that at no point did I disclose the database
credentials - other users discovered those and publicly posted them. I
contacted Super Meat Boy several times before going public with this but they
totally disregarded my warnings.

------
smosher
I found this image succinct and telling:
<http://img820.imageshack.us/img820/1641/itsfinetrustme.png>

------
dangero
I'm going to dangle myself on a limb here.

If you consider the constraint that the indie programmer may have had
incomplete skills to set up a proper service, saw this method as faster for
any number of other reasons, or didn't want to maintain a proper web service,
I think this could very well have been the right approach at the time. Judging
from how much money this game has made, I think that's hard to argue with
since time to market should have been the number 1 concern at the time and
early on he needed a way to make sure people were able to complete all the
levels and measure the difficulty curve.

When the developer responded that it didn't matter, that may have been because
they don't need that data any more and don't even look at it.

~~~
zyb09
In good tradition the most critical comment is the top voted on HN. Yada Yada
indie life is hard, but no one with a right mind would think of connecting the
client directly to the remote master database. This is just so WTF on so many
levels, you can't help but wonder how they even managed to produce such a good
game after all.

~~~
socksy
Yes, it seems obvious to web developers and developers that are used to
working with databases and CRUD apps, but that's one set of skills over a
particular domain. Game development tends to emphasise a whole different set
of skills — those of efficient graphic rendering, for example.

A points table is no doubt a last minute add on in a field that certainly
wouldn't be the expertise of a small indie developer (no-one goes into game
development for their love of CRUD apps, after all). They needed a database so
they used the most popular, in a way that probably seemed the most appropriate
for their application.

~~~
TillE
I can't imagine anyone specializing to such an extreme. If you want to make
multiplayer games, for example, you _have to_ know this stuff.

Every competent programmer should be familiar with basic security principles.
It's then your responsibility to educate yourself about how to apply those
principles in a given situation.

~~~
HalibetLector
No, you don't. I work for one of the top social gaming companies around right
now and programmers do specialize to a ridiculous degree. The programmers who
write code for the actual game are rarely web developers. It's simply a
different domain.

I can confidently say this because I'm a web developer in a studio of game
developers and most of them don't even know how to run mysql locally. They
aren't stupid, they could, if they spent the time to learn it. But they are
much more interested in improving the efficiency of their A* pathing
algorithm.

~~~
radiac
Well, it's fair to say that programmers specialise, but presumably you're only
working on the website, and the game developers are only working on the game.
TillE was right - if you are going to implement this stuff, you should know
what you're doing, or at least seek advice from people who do.

Regardless, the super meat boy developer made a pretty basic mistake, which
you could perhaps defend with your argument, but he then refused to engage
with someone who was reporting a vulnerability and trying to help. To me,
that's pretty astounding.

~~~
socksy
Game development especially has a lot of well meaning customers who haven't
got a clue what they're talking about (a lot of kids). Whilst he probably
should have listened, it's understandable why he may have dismissed a random
on twitter.

~~~
Total_Meltdown
The guy took a stack trace of a segfault. If a guy comes up to me, tells me I
have a glaring security flaw, and shows me a stack trace of my own code to
prove it, I'd be an idiot /not/ to give him at least a few minutes of my time,
no matter what community he comes from.

------
MBCook
Unfortunately this doesn't surprise me too much. I'm a Mac user and eagerly
awaited the Mac release, only to find it had terrible performance and game
breakage bugs. I emailed the developers and received two replies.

Tommy, the developer quoted here, started his email implying my complaint was
faked, then saying they couldn't reproduce the issue of the game crashing
every time you entered a warp zone, although they said they were working on
it. His response made me quite a bit madder.

Edmund, the other developer, replied separately. He was apologetic and
mentioned that the person they had originally paid to port the game fell
through so it had to be done very fast. This was the kind of email I was
expecting. It wasn't confrontational at all.

They later released a patch that fixed the crashing issues, but performance is
still a major problem. The Windows system requirements are listed as a 1.4 GHz
P4 with 768 MB of RAM. On the official blog, they list a dual core 2.6 GHz
machine with 2 GB of RAM as the minimum requirements for the Mac. The game is
officially supposed to support the 360 gamepad, but a note was left on the
Steam forum that despite the promise it's not possible to support it correctly
on the Mac, so the problem won't be fixed.

I thought the binding of Isaac looked interesting, and it has been getting
good reviews. But after my experience I'm not going to play it. Super Meat Boy
was a lot of fun (even though it didn't perform well on my Mac), but after my
experience seeing the response to this issue doesn't surprise me.

~~~
starwed
Hmm, Super Meat Boy seems to be totally fine on my mac. (2010 Air 11").

However, Binding of Isaac is pretty lagtastic. (But, quite possibly the most
fun I've had with a game this year.)

~~~
MBCook
I considered buying it on XBLA a few times, but I wanted to support a
developer for supporting the Mac, and I didn't want to have to boot my XBox to
play it.

The individual levels are generally quite fluid, unless you die an awful lot
of times. But the map screens and some of the bosses are slower (ESPECIALLY
the one in World 4/Hell). I wonder if it's the extra visual effects (like the
fire in Hell).

I wish I had bought it on XBLA. Microsoft's quality control meant it would
have been a much better experience. I was actually disappointed with Steam,
which is the first time that happened. I guess I assumed they ran strong QC,
which they must not.

PS: MacBook Pro, early 2010, 2.53 GHz, 8 GB. Graphics card (integrated vs
nVidia) never seemed to make a difference.

------
kevingadd
The idea of doing an UPDATE on the custom levels table every time someone dies
in order to increment the deaths counter terrifies the database administrator
in me. That'll scale REAL well. Yikes.

~~~
citricsquid
Asking the database administrator in you, what's the most efficient way to do
it? Queue and push updates every 10 minutes?

~~~
benologist
We do millions of operations like that a minute by queuing, aggregating and
then committing. SQL Server's MERGE is particularly useful for it, although on
our MongoDB stuff (and ironically, for player created levels) we do $incs.

~~~
forrestthewoods
I know next to nothing about this kind of stuff. If I wanted to create a stats
+ user generated level database system akin to Super Meat Boy (and I do) do
you have any recommended resources to read?

~~~
benologist
It depends on how deep you want to go yourself. At its easiest you could just
drop Playtomic [1] in, we have support for most gaming platforms.... obviously
I'm quite biased towards this option. :)

If you want something more flexible and you're doing mobile you can check out
Parse [2], they're a custom database with a REST, iOS and Android APIs. If
you're using Flash, HTML5 or Unity3d we have a bridge that lets you use Parse
through our own APIs.

If you want to get right down to the guts of it I would get a simple Heroku
[3], PHPFog [4] or AppHarbor [5] account depending on what languages you're
most comfortable with or learning and set up a MongoDB database over at
MongoHQ [6], MongoDB lends itself very well to user created levels in my
experience.

Basically you need:

1) Scripts to save, rate, count plays and list levels. You want to either
authenticate the user, or more simply just obfuscate the data you're
transmitting to make tampering harder

2) Some kind of logging or queueing system where you will store the plays

3) Something that will go through your logs or queues and perform the $inc
operations on your levels in bulk batches rather than doing it all
individually

4) Indexes on your database that match your listing requirements

[1] <http://playtomic.com/> [2] <http://parse.com/> [3] <http://heroku.com/>
[4] <http://phpfog.com/> [5] <http://appharbor.com/> [6] <http://mongohq.com/>

~~~
forrestthewoods
Great response, lots of good information, thank you!

------
richardeid
Hi, I registered because I had read this story earlier today and decided to
contact Team Meat's developer and ask him a question. His response prompted me
to post this here. My question is of a political nature, but you can ignore
that part. The part that struck me as odd, and the part that matters for this
conversation, was where he claimed nothing happened.

[https://lh5.googleusercontent.com/-kc0f6ZQZebY/TvWDhFSHYEI/A...](https://lh5.googleusercontent.com/-kc0f6ZQZebY/TvWDhFSHYEI/AAAAAAAADag/G23qcWvjkag/s628/edmund.png)

Note that I sent him the tweet at exactly midnight my time. A short time
later, a thread on the Steam forums was updated with:

[https://lh5.googleusercontent.com/-itY306KgvLk/TvWGR_cQkiI/A...](https://lh5.googleusercontent.com/-itY306KgvLk/TvWGR_cQkiI/AAAAAAAADa4/vCNivXdI7xE/s912/spufmeat.png)

To give that a little context, once the details of this vulnerability were in
the wild the shenanigans everyone ran on their database had affected
everybody's ability to play the game. It would crash upon launch.

Anyway, he responded ~two hours later, just after that post on the Steam
forums noted that the game was playable again.

Does "nothing happened" seem accurate here? And for anyone that has the skills
to access that database, is it still accessible and...modifyable?

~~~
dandelany
"My question is of a political nature, but you can ignore that part."

No, your question was of a rude nature, which is pretty hard to ignore. It's
not surprising that he responded curtly.

~~~
richardeid
I was trying not to focus on that aspect of the conversation, but this is what
my comment was based on:

[https://twitter.com/#!/SuperMeatBoy/status/14761253025520435...](https://twitter.com/#!/SuperMeatBoy/status/147612530255204352)

In my opinion, this isn't the sort of behavior that should be advocated. If
people pirate the software produced by these companies that support SOPA, then
that just validates SOPA. Additionally, he doesn't exactly give his games away
for free so it's a strange stance to take in my eyes.

Anyway, my thoughts and feelings on copyright infringement weren't relevant
discussion for this thread. I instead chose to focus on him acting as if
nothing had happened, when the rest of the Internet proved otherwise.

------
z92
So what would be the solution? He used a password protected database
connection and put the password compiled in binary. If I was doing it I would
have probably done the same. How else can it be done? Use web service? That
would still look "open" to someone digging inside the compiled binary and
getting the keys.

~~~
funkah
I can't believe how many people here think this is okay. YES, a web service!
Please never apply to a company that I am working for!

~~~
z92
The less one knows about a system the more layers of firewall he will put up
to protect it.

People get astonished when I insert a virus infected USB disk into my Windows
machine and use Explorer to safely copy files from it. And when they ask what
anti-virus I use, I say "None, never used any anti-virus in my life. I
reversed engineered a lot of viruses and I know how they work."

> Please never apply to a company that I am working for!

Sure. Thanks.

~~~
toyg
I'd honestly like to know how you can "safely copy files" with Explorer.

You know a lot of viruses, you don't know _all_ the viruses. How can you
discount the possibility that, one day, the USB interface itself will be
subverted to spread viruses ?

~~~
z92
> the USB interface itself will be subverted to spread viruses ?

It can. But then I would know about it as soon the AV companies know. And I
can take the precaution accordingly. If that is a zero day [remote] exploit,
then I am toast, with or without anti virus.

The point is: anti-viruses would probably make me 10% more secure over what I
already am. Therefore it's not worth it when one considers its cons.

~~~
toyg
If you really can enjoy the same level of semi-instantaneous knowledge of
"virusdom" as AV companies, then you're the 0.00001% of the population. Your
solution simply doesn't scale in the real world.

------
the_mitsuhiko
The game ships a libmysql library. Unless they got a commercial license for
it, that's a GPL violation in the wild.

~~~
drewblaisdell
It isn't a GPL violation because the game is just interfacing with a master
MySQL database, not using one to store local content.

~~~
the_mitsuhiko
libmysql is GPL licensed as well.

~~~
JS_startup
MySQL's own licensing page states that a license is needed for software that
has MySQL distributed as a part of it.

Even if they DID need a license you are out of line to suggest they are
automatically infringing and didn't just purchase the commercial license.

~~~
the_mitsuhiko
> Even if they DID need a license you are out of line to suggest they are
> automatically infringing and didn't just purchase the commercial license.

Well. You do need a license. No question about that. I did not say they are
infringing the license, I was saying that unless they bought a commercial
license for it they would be. Maybe bad wording on my part but when I read
that article the security implications did not nearly strike me as much as the
fact that the game has to ship libmysql.

I find that much more surprising than the fact that it uses a world writable
MySQL database for the editor support.

------
seagaia
<http://www.formspring.me/EdmundM/q/274876035885957785>

I find it disturbing that people would go through and even attempt deleting
levels and altering things en masse. It's okay to point out the bug, and maybe
change one thing to display this fact...but the people changing everything?
It's a selfish thing to do this to thousands of creative works (the user-
created levels), in the motivation of just showing _one_ developer something
he did wrong. Thankfully, there were backups.

Parts of this thread, the somewhat arrogant reaction of the Team Meat
programmer, and the motives and subsequent actions of some of the people
modifying the database, made me a little sick. If anything it's a showing (on
both sides) of the lack of maturity of some programmers.

Look, I _know_ that this could be justified in saying "well, someone would
have done it sooner or later." In that case, I suppose whether or not this was
okay is left up to whether Tommy (the programmer - Edmund did design) would
have patched it. And with his defensive response, I'm sure he knew and was
going to do so, but probably didn't want to admit it (from interviews he seems
to have bit of a bitter ego)

------
RKearney

        SELECT * FROM smb_editor_author CROSS JOIN smb_editor_leveldata
    

This query is taking forever to finish...

~~~
samlev
You should try locking the tables first. Maybe other people connecting is
slowing it down, so a full table lock would be a good idea.

Remember to keep the lock alive after the query finishes, just in case you
need to query it again...

------
username4
Maybe he built a way to detect mischievous updates or he's baiting to sue.

------
jcapote
They don't really care, could've even been intentional:
<http://img820.imageshack.us/img820/1641/itsfinetrustme.png>

------
shearn89
Well, this seems to be fixed - the user posted in the image now only has
SELECT privileges to the database. Unless my mysql is reeeally rusty and I
misunderstood the output...

------
nicksergeant
From what I read, the database isn't "wide open". It's read-only and there's
nothing juicy in it.

Also, a bit of NSFW stuff going on here if you dig too far.

Edit: It's not read-only, INSERT/UPDATE works.

~~~
TheEskimo
Sorry, if you read the page linked you'd see that that is not the case. It is
open to SELECT, UPDATE, and INSERT. if it were SELECT only that would be read-
only.

As it is, that's just stupid as any user can wantonly edit anything. I could
trivially edit every level's author to be myself or do intensive operations
which result in a DOS.

The only smart way to give clients access to a database is through some sort
of frontend entirely under your control which prevents them from having the
user/pass and sanitizes the queries.

Edit: Whoops, while I typed this multiple other people did the same. Sorry for
the redundancy.

~~~
soult
> The only smart way to give clients access to a database is through some sort
> of frontend entirely under your control which prevents them from having the
> user/pass and sanitizes the queries.

MySQL maybe, but enterprise DBs (think Oracle, DB2, Postgres) support a very
fine-grained access model.

~~~
toyg
I'd argue that even then, they are less hardened against network-layer
exploits than your average webserver. Network security is bread & butter for a
webserver, not for your enterprise DB running in safe intranets with only
cursory penetration testing.

~~~
soult
I agree, though if you hardcode username and password into your application
there's no need for fancy exploits.

------
sohamsankaran
supermeatboy.com seems to be down

------
ojbyrne
So it could be that they create a mysql "database" for each user, and give
them all the privileges needed there, and no privileges anywhere else.

And conceivably you could have some kind of proxy that looked like mysql but
actually sanitized/logged/whatever any queries, before passing them on to the
real server.

~~~
pferde
Since that would take more effort and time than simply doing it right, I call
Occam's razor.

~~~
ojbyrne
I wasn't trying to argue that it would be the correct approach, just a
possible explanation.

