One of a series of weaknesses in PayPal’s two-tier security system, that can lead to access of funds, or a DoS attack, given only an account and captured password, or an unclosed browser with an uncleared cache where a user has logged off.
Read here: PayPal Security Issue #1
More coming, once I get my test account unlocked.
Publishing publicly since, if I know this, best to assume many hundreds of black-hat, malicious people know it as well and are exploiting it.
The fixes are very, very easy. I hope this will goad PayPal into fixing this problem.