I don't really see the ambiguity here. They used a method to circumvent access control methods on the site. These methods where an effort by the operator of the website to prevent un-authorized access to the information. If you want a real world example; say I have a device that will unlock any keyless entry system on a car, then I had this device out to people that want to 'check out' some cars. Maybe see what insurence company the owner is using, maybe take it for a ride. Now, was it the car owners fault for not putting a paddle lock on the outside of the car to prevent this from happening?

The situation would be diffrent and raise diffrent issues if they 'googled' their names and found a link to the app.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/309/31132#31132