Thanks for that.
quote:
When the user browses to the attackers web page, a Javascript on that page opens a new browser window with a Twitters lists URL (»twitter.com/lists). If the victim is signed in to Twitter, then the window is automatically redirected by Twitter to the victims personal lists page and the URL now contains the victims personal twitter ID (e.g. »twitter.com/Imperva/lists). The attackers Javascript now queries the new window for its URL by using the location object. On previous versions, the same origin policy had failed such requests.
However, in Firefox 16 the same origin policy was not implemented correctly and allowed the attacker to gain access to the URL, allowing the leakage of personal data such as the victims Twitter ID in this case.
So that's why the POC didn't work for me when I tried it. I don't twit!
(Now I might just sign up for Twitter just to see what it does, nah.)