tldr: AT&T has an account status page that, for mobile devices, did not require any authorization. Something like /status?phone=8367492738 and you see the account data for that phone. It was guarded by a password if you navigated to it on a desktop/laptop, but it was unsecured if you navigated to it with a mobile device.
He spoofed the user agent string to make his laptop say it was a phone (this is extremely common, there is a button in your browser to do this in one click, and the spec that defines UA string specifically says not to use it for authorization for this exact reason), and dumped the account details from every url.
Despite these being pages publicly accessible on the open internet, he went to jail for years for unauthorized access under the CFAA
Well, I mean, that and (I'm sure) the fact that he was a notorious asshole and the authorities would rather make an example out of him than out of a more sympathetic defendant
tldr: AT&T has an account status page that, for mobile devices, did not require any authorization. Something like /status?phone=8367492738 and you see the account data for that phone. It was guarded by a password if you navigated to it on a desktop/laptop, but it was unsecured if you navigated to it with a mobile device.
He spoofed the user agent string to make his laptop say it was a phone (this is extremely common, there is a button in your browser to do this in one click, and the spec that defines UA string specifically says not to use it for authorization for this exact reason), and dumped the account details from every url.
Despite these being pages publicly accessible on the open internet, he went to jail for years for unauthorized access under the CFAA
Well, I mean, that and (I'm sure) the fact that he was a notorious asshole and the authorities would rather make an example out of him than out of a more sympathetic defendant