This Tweet is unavailable.
1
2
Conversation
You’re unable to view this Tweet because this account owner limits who can view their Tweets. Learn more
You’re unable to view this Tweet because this account owner limits who can view their Tweets. Learn more
The scripting doesn't need to be in the Go code to accomplish the same thing, and as I said, that sounds a lot like many commonly deployed environments.
i.e. it can be JavaScript or Lua scripting closely tied to Go code, such as a web browser, custom map / mod scripting for a game engine, etc. There are a lot of cases where an attacker has scripting capabilities. Remote access to a service can also provide similar capabilities.
2
It's definitely way harder to do an exploit like this without either direct remote connections to a service or even better local scripting. Still, I'm not really surprised anymore when people exploit something like a 1 byte null overflow without scripting or an active connection.
1