Important: the code bellow will really show your cookies if you are logged into Twitter (no matter in which tab or window). The button reads "Get Cookies from Charlie" because in the video PoC we were attacking an imaginary character named Charles. However, clicking on that button will show your cookies.

This proof of concept assumes that you have a Twitter tab/window already opened. If you don't, please, open one now!

Charlie, we are out of milk but we have your cookies.



This is our code:

window.open('javascript:alert(parent.document.cookie)','dm-post-iframe');



Tested on: Microsoft Edge 40.15063.0.0 / EdgeHTML 15.15063

Explanation: SOP bypass / UXSS data-meta-data in a domainless world (Edge)

Contact: @magicmac2000