Wait, I installed it, how is http://localbattle.net using a valid certificate. I don't know if I want to look under this rock.
/cc @hannopic.twitter.com/UZJwPRJuGE
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
"with a bit of social eng" anything is possible, that's not a vulnerability. Users reasonably expect that using hotel wi-fi will not get them compromised, they do not reasonably expect they can email strangers authentication tokens.
The magic url is https://eu.battle.net/login/en/flow/wow-and.app?externalChallenge=login …. If cookies and shit, it immediately redirects to http://localhost:0/?ST=$region-$hash-$id.
Well, that does seem like a bug, I don't think it's a security bug though. I'll think about it.
Not an expert on this stuff. Just know that if you hit the right url, you get redirected to localhost/?token=…, and at least plugins can extract that and send it anywhere. No idea what other vectors there are. You're the expert here! Go break Tassadar! ;)
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.