It isn’t just Southern Water’s pipes which were leaking…

Other customer’s documents were available for download, plus open-day at the company’s internal SharePoint site

Southern Water logo
List of personal correspondence that can be viewed on Southern Water’s website
The correspondence addressed to me — all looks good, but lets check the URL.
Including the internal link in a customer-visible parameter is an extremely bold (and extremely ridiculous) move..
Using the curl command-line tool to retrieve the SharePoint information page
Lots of HTML with embedded JSON comes back, but.. those appear to be correspondence URL’s..
The system shouldn’t let me access someone else’s document.. but..
This correspondence is definitely not mine (heavily redacted, and any downloaded data has been deleted)

But wait, there’s more..!

Using the curl command-line tool against the undocumented Microsoft SharePoint API
Aaaand, we get more lists of other customer’s correspondence URL’s
Again, we should definitely not be able to access anyone else’s documents.. but..
Another heavily redcated (and subsequently deleted) correspondence which is not mine.
Fetching a list of correspondence now returns a HTTP 500 error
Attempts to retrieve an existing correspondence are now met with a timeout error
It appeared that a more detailed fix was being implemented

Timeline