Hacker News new | past | comments | ask | show | jobs | submit login

It was expressly to support autocomplete.

Upon going to the wireless account management webpage on the iPad, it would already have the email address last associated with that ICCID (sim card) filled in in the form input element, so that the user would only have to type in their password, and not the email address as well.

It was an express design decision to reduce the number of steps taken by a user to reactivate service. They explicitly chose to weaken the authentication system to increase convenience, and didn't want to do credential management, so they just used the sequential integer ICCID to fetch the email address last associated with that SIM.

Afterward, they said "oh, well, we didn't INTEND for you to use it that way", despite the fact that this is very obviously gross negligence.

It's not a hole - it's a feature they chose to implement.

The bad law that lets anyone, retroactively, define "unauthorized access" by their own attitudes and whims, is the problem here.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: