Yeah, I definitely would not do that to a 3rd party system without a specific letter of engagement for penetration test or security review. Now, that being said, it's the first thing I would tell every single developer about as a senior developer and I would insist that test cases be written to verify that no such 'feature' was permitted into the application.
Should I consult with my lawyer before manually entering an address into a browser? I could easily make a mistake that would allow me to access the wrong page.
Heck, if we're being that careful maybe I should just throw my computers out the window. A Google search result or a forum post could link me to the wrong page and I could get sued.