[boingy]

I've seen this on quite a few websites that use paypal. If you have ever come across a site that has a 'You are now being redirected to Paypal, please wait' page inbetween the checkout and paypal then you will probably see something similar if you quickly hit ctrl+S.

It doesn't help that Paypal themselves (https://cms.paypal.com/uk/cgi-bin/?cmd=_render-content&conte...) have tutorials with lines like: <input type="hidden" name="amount" value="15.00">

[TomGullen]

Some sites that use Paypal also have a form field for where to direct to upon successful purchase. Sometimes this page has a link to download the product you're meant to be purchasing.

[eterm]

PayPal tell you to check when you get the payment confirmation through to check the checkout ID against your own records for what the transaction should have been, but I have fixed just such vulnerabilities in my work before.

[MichaelGG]

But when they redirect back, isn't easy to verify the transaction?