I would say yes if and only if you can send the url as much as you want.
An attacker could just keep changing the pw in the url and keep trying till he gets the successful result if after (i would say 3 times) an other message is displayed saying there were to many bad attempts and you need to wait an x number of minutes before trying again a brute-force attack would not be profitable.
first i would like to know why he tries it with a Get command instead of a post command but if a get command is somehow necessary (can't see why it would be) he should really pay attention to the following (actually he should stop what ever he is doing and make sure it is done the proper way):
there's 2 things i would recommend your friend to do if he insists on keeping the method he is using now:
the first, a passwords needs to be hashed and salted, so from the moment the 'enter button' is pressed the text in the password box needs to be encrypted so it does not show as plain text in the URL.
if you want more information about securely storing and using passwords i would suggest you read the following article:
Best way to store password in database
the 2nd thing is he could test him self just get a URL and submit it, then change it and submit it again, if you can do this over and over again a bruteforce attack is an easy way to break this security however, if after a few tries (normally i'd say 3 times) you get a different result as: jsonp1381741574696({'Result': '-100'})
for example a result stating you have tried to many times i would say it is safe.