AT&T has always had problems like this. Back before the iPhone allowed MMS, when someone tried to text me a picture, I would get a text with an AT&T Web site address instead. By going to the address, I would see the picture.
The AT&T Web site that allowed me to see the MMS pictures had the exact same security flaw. I could manipulate the address bar to see pictures that other people were getting in MMS messages, too! It was trivial to do so--and in fact I discovered it because of a bug in the AT&T system that would only let me see the full-sized picture that had been texted to me if I messed with the address in the address bar.
I never bothered to report it because shortly after I discovered it, AT&T enabled MMS on the iPhone and did away with the need to go to their Web site to see an MMS picture. But it worked *exactly* the same way as the bug that exposed iPad information, so I bet the same Web developer was responsible.
