I guess this is exactly the thing that the court must decide on: whether guessing that code can be considered as a circumvention of security measures or not.
What if you find this magic token because it was embedded in some client-side, javascript login-form? Are you a hacker for viewing the source?
Securing content on the internet is easy. If you don't want it accessible to anyone, don't give the content to anyone who provides an unauthenticated HTTP request.
Why are we putting the legal responsibility of maintaining security on that content on everyone except the ones actually in position to do so?
Depends on the document and jurisdiction. If I remember correctly, some levels of military classifications here in Finland require you to not read the document and return it to the officials. Of course the one who left the document would also get reprimanded at least.
Using someones password without permission is as illegal whether you shoulder surfed it, cracked it or red it from a post-it note.
What if you find this magic token because it was embedded in some client-side, javascript login-form? Are you a hacker for viewing the source?
Securing content on the internet is easy. If you don't want it accessible to anyone, don't give the content to anyone who provides an unauthenticated HTTP request.
Why are we putting the legal responsibility of maintaining security on that content on everyone except the ones actually in position to do so?