tl;dr if your app runs a local server it needs to validate the Host header of incoming HTTP requests. Tavis is opening issues for apps where this causes RCE but there’s probably tons more where this will cause privacy leakshttps://twitter.com/taviso/status/955540415263907840 …
Replying to @bcrypt
It needs to validate a lot more. Just host still allows any user on localhost to execute code as the victim user.
6:21 PM - 22 Jan 2018
0 replies
0 retweets
9 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.