Hah, at&t used consecutive IDs and then provided a php script that spit out user data when provided with the ID. I wouldn't even consider that a vulnerability, just stupidity. It behaved just as intended, except for the allowing anyone to do it, of course.
Highway of Life wrote:Articles like that are so stupid with their name choices, it should be AT&T's worst security breech, since the breech was through AT&T's website.
Indeed, I'm not sure how Apple was supposed to close gaping security holes in at&t's website. The article does mention that it was Apple requiring this data to be provided in order to activate the device, however.
Exacerbating the situation is that AT&T has not yet notified customers of the breach, judging from the subscribers we and the security group contacted, despite being itself notified at least two days ago. It's unclear if AT&T has notified Apple of the breach.