"Please stop with the physical analogies.", weev relied on one during his defence, so they're fair game.
The social contract of the web is usurped by the legal contract of society, whether or not the way the legal framework is being applied in a just and fair manner is certainly up for debate.
And honestly can you say, hand on heart, that the intention of the AT&T developers was to purposefully leave that hole there? That'd be lunacy. Clearly it's a mistake, an 'oh crap, we didn't think of that'.
Upon going to the wireless account management webpage on the iPad, it would already have the email address last associated with that ICCID (sim card) filled in in the form input element, so that the user would only have to type in their password, and not the email address as well.
It was an express design decision to reduce the number of steps taken by a user to reactivate service. They explicitly chose to weaken the authentication system to increase convenience, and didn't want to do credential management, so they just used the sequential integer ICCID to fetch the email address last associated with that SIM.
Afterward, they said "oh, well, we didn't INTEND for you to use it that way", despite the fact that this is very obviously gross negligence.
It's not a hole - it's a feature they chose to implement.
The bad law that lets anyone, retroactively, define "unauthorized access" by their own attitudes and whims, is the problem here.
The social contract of the web is usurped by the legal contract of society, whether or not the way the legal framework is being applied in a just and fair manner is certainly up for debate.
And honestly can you say, hand on heart, that the intention of the AT&T developers was to purposefully leave that hole there? That'd be lunacy. Clearly it's a mistake, an 'oh crap, we didn't think of that'.