Spark-2.5.0
Spark keeps it configuration in the directory ~/.Spark. This directory and all of it’'s subdirectories are created with permission (777 & ~umask) and all of the files are permission (666 & ~umask). For most people their umask is set to 022 or 027. All the files in ~/.Spark are potentially readable including spark.properties which includes the users accounts and encrypted passwd, and the directories user//{contacts, vcards, transcripts, downloads}.
If the users umask allows writing by others then ~/.Spark/plugins will be writable which will allow malicious plugins to be installed without the knowledge of the user.
Spark should at least create ~/.Spark with pemission 700 and preferebly all files in ~/.Spark should use a umask of 077.