The webhooks has a major security flaw. You can't provide a URL to the certificate used for signing a transaction in the request. Literally anyone could craft a similar looking response, put their own certificate from a url that legitimately validates and provide any fake info they wanted, and the signature verification would still pass.
currently in the headers it is something like
https://api.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-38317689
To rectify this, the certificate would need to signed by the "paypal.com" certificate and the certificate chain would need to be provided. OR you list a static url in your api docs that can be hard coded. then when you update the certs just swap them. This is pretty bad. I havn't had a chance to see if the libraries currently available are designed to address this. But I assume this is a pretty wide spread vulnerability.
