I'm not sure about the mechanics of this, but at a minimum the webserver probably has access to the HTTPS private key for the subdomain, or at least has it in memory, since the request is shown to be running over HTTPS.
Reading the memory of another process is not allowed on modern OS for precisely that reason, so this would be another exploit. (http://en.wikipedia.org/wiki/Process_isolation) But the keys are most likely on disk, readable by the server ;).
Also, some setups are not prone to this: Twitter most likely uses an proxy terminating SSL and then forwards the request to a smaller webserver running the app. This one will not hold the keys.
Most larger webservers can also run the app workers with a different user than the webserver itself.
> Reading the memory of another process is not allowed on modern OS for precisely that reason, so this would be another exploit.
both Linux and Windows allow processes to read the memory of other processes running as the same user, via ptrace() and /proc/pid/mem on Linux, and via ReadProcessMemory() on Windows.