> This is more like someone giving you key to a filing cabinet in order to retrieve some documents
No. It's like someone asking you what you need, you telling them "I want all my documents and the ones from my neighbours because I feel like it", and them proceeding to hand you everything you asked for neatly collected in a folder.
You’re still ascribing agency and authority to a fancy vending machine. The server has absolutely zero authority to grant you authorization to the documents. It can only grant you access. The servers are not representatives of the government or the site-owners, they are just machines. And just because the vending machine is broken and works without you paying doesn’t make it not stealing.
The fact that the server cannot make decisions that were not predetermined is exactly why the responsibility for its behaviour lies with the people running it. They make the rules, they are the ones whose job it is to read the manual. And when someone makes a technically valid request (instead of, say, SQL injection attacks) it's not the user's fault for an incorrect response. They might not even be aware that they're not allowed to do a specific request: it's reasonable to assume IDs in the URL are not sensitive information, as URLs are public and unprotected by default.
Of course it's on the user if they know they're not supposed to have access to some info and they use it to their advantage regardless. If they're a nice person they'll even report the issue (though less likely after news like this).
> just because the vending machine is broken and works without you paying doesn’t make it not stealing
So if it's broken and doesn't work despite me paying, does that make my payment a donation? No.
Though it probably is theft if I knowingly abuse the error for profit.
I feel like I'm taking crazy pills here. We're specifically talking about someone who knew that they weren't supposed to access other business' data and did purposefully for their own gain. How is that not abusing the error for profit?
Like you can say "URLs aren't sensitive by default" up until the guy admits that he knows it's an error and he's accessing the private data he's not supposed to see. That changes the situation completely.
No. It's like someone asking you what you need, you telling them "I want all my documents and the ones from my neighbours because I feel like it", and them proceeding to hand you everything you asked for neatly collected in a folder.