A “proof of concept” exploit for the vulnerability exists (for more, check this out).
- A user browses to the attacker site.
- That attacker opens a new window in Twitter from attacker site.
- If the victim is signed in to twitter, then the user gets redirected to a URL that contains a personal twitter ID.
- The attacker can now query the new window on the URL and obtain the victim’s personal twitter ID.
On previous versions of Firefox, this attack would fail:
There was a regression in Firefox 16 that allowed this attack to work: