No. Unblow your mind. Any service which returns sensitive data in JSON via an HTTP get based on the user's cookie is vulnerable. At worst, an attacker would just be able collect the response of a GET on behalf of a visitor to the attacker's site if the user is on a really old browser.
