PayPal fixed an issue that could have allowed an attacker to hijack OAuth tokens associated with any PayPal OAuth application.
The vulnerability was publicly disclosed on Monday by Antonio Sanso, a senior software engineer at Adobe, after he came across the issue while testing his own OAuth client. For its part, PayPal remedied the vulnerability about three weeks ago.
The OAuth flaw, according to Sanso, stemmed from the token request and acquisition process. For starters, PayPal allows developers to create and edit their own apps through its developer application dashboard. After creating them, developers can register those apps and obtain an access token for them by sending a request to the company, which acts an authorization server. That PayPal server could be overridden however, Sanso found.