Comment 1 for bug 715358

There's an extension of this attack that will allow the attacker to determine what kind of user type/group a particular user is. If the XHR or iframe src is to www.psiproxy.com/users.php and the response is successful, then the attack knows the user is an admin.

(This would also work for Propagators, but maybe not for Power Users, since they don't have any distinct pages.)