Bleh, what's wrong with %APPDATA%?
pic.twitter.com/sO3PCsN30g
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
I „heard“ that one of the auth methods of bnet actually just ended up with redirecting to localhost/?token= and token was valid without geo or (reasonable) time restriction, so with a bit of social eng…
"with a bit of social eng" anything is possible, that's not a vulnerability. Users reasonably expect that using hotel wi-fi will not get them compromised, they do not reasonably expect they can email strangers authentication tokens.
The localhost endpoint is not relying on the certificate for security. The endpoint is treated with the same level of trust as a raw http connection. Other countermeasures are employed instead. Genuinely curious if there is a way to actually get anything out of it.
Confused by what "trust" you mean here. The only reason it's "localhost" is because that's what dns says, an attacker (e.g. hotel wi-fi) can lie and you would be talking to them instead.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.