I think this is a valid observation and the affected apps should either add auth to resources they control - shared or not - or use an UUID to store it so names can't be guessed.

This only works because the attacker knows the URL.