Customers of U.K. mobile network operator O2 may believe that photos taken with their mobile phones and sent via MMS to friends are private. But if the recipient's phone isn't capable of receiving MMS data, as is the case with Apple's iPhone 3G, those pictures may be publicly accessible.

O2's security for this scenario is security through obscurity: It makes pictures sent via MMS viewable on non-MMS devices by posting them online with a URL that's difficult to guess.

But thanks to Google , there's no need to guess the URL. It can be found using the inurl: search query operator with mms2legacy as the argument.

[informationweek.com...]

This is a perfect example, and a lesson, that security through obscurity should not be employed. Also, article mentions that you can search for 'not so secure' pictures, on G, with "inurl:mms2legacy". If you perform the query you will see that results from O2 operator return 404 page - probably meaning that O2 operator took some steps to mitigate issues of their troublesome implementation. However, if you click on "Cashed" result you will be able to see the picture
This means that O2, while trying to make urls hard to guess, allowed robots to cash the page. This is another serious omission from O2 and lesson to all.