I wanted to check our online bill today, and used the URL that came in the email from Spark notifying us that our bill was ready (which takes the form of https://www.spark.co.nz/viewer/GetBillImage?url=<GUID>).
Because I was curious, I decided to see if this URL required you to be logged in or not. I was shocked to find that it didn't!
Thinking this must be a browser session or cookie issue, I tried in another browser (where I'd never logged into MySpark from). Statement still visible. Cleared all history. Yep, still visible.
As a final litmus test, I asked my mate in the US if he could access it.
This is a pretty serious security flaw. Loads of personal information available here.
This is also the second time I've encountered it this week, with JB HiFi using a similar "security by URL" scheme for their online orders. I kinda expected it from them, as their website is all kinds of antiquated. But I'm a little shocked seeing it from Spark.