Thanks for that.
However, in Firefox 16 the same origin policy was not implemented correctly and allowed the attacker to gain access to the URL, allowing the leakage of personal data such as the victims Twitter ID in this case.
So that's why the POC didn't work for me when I tried it. I don't twit!
(Now I might just sign up for Twitter just to see what it does, nah.)