Just noticed this today and made sure that: 1) 2FA is activated and my phone number is not/should not be used to allow payments and/or account access (not listed as a backup). 2) Automatic access/One touch is completely disabled. I tried several sites, such as aliexpress, steam, etc. As far as I can tell, this SECURITY FLAW can be seen while using the pop-up payment flow. I didn't test if this access (token/cookie) can be used to gain control over the account configuration/history/data, but it's certainly possible. SIM swapping is fairly easy and recurrent nowadays, this should not be taken lightly. I'm temporaly removing any sensitive data/credit card numbers from the site. I hope PayPal address this asap.
... View more
