[joev_]

Actually, ie is still vulnerable to a very similar attack in some cases, specifically you can leak responses containing small json array by inlining the json as a script[src=vbscript] tag. Disclosed here: http://en.wooyun.org/bugs/wooyun-2013-023

with the status "unable to contact the vendor or actively neglected by the vendor" :-/

Edit: I meant "injecting" not inlining. Thanks chc for pointing that out.

[chc]

If it has to be inlined, how is that the same vulnerability? I thought the vulnerability was that script tags can fetch external scripts and a local script intercept the results. If you have to inline both scripts, you can only attack yourself.

[joev_]

Sorry, used the wrong term. I mean it can be injected as a script tag into an xdomain site.

[Stealth-]

VERY interesting, thanks for sharing! I'll have to play around with this a bit...

[joev_]

Yeah it's a neat attack. pretty glaring info leak imho. Even an empty array response can expose login status