[tokenizerrr]

That's good, but I think the user needs a way to confirm that the pop-in is actually served by paypal, and that that is where their credentials will go. As it is now, what will stop me from faking one of these forms, making it look totally legit, but instead sending the logins to my own server?

[true_religion]

I don't think anything can stop someone from phishing so long as we have iframes, and users trained to accept their use.

[tokenizerrr]

Well yes, my point is not to use an iframe like this (unless browsers start to include their own URL bars for those, though that still seems like a terrible idea). Previously paypal opened a regular popup (an entirely new window with its own url bar) or simply redirected the page. Both of those will fully inform the user about what site they are filling their credentials into.

[justinpaulson]

What would ever have stopped you from doing that? What will stop you from doing that in the future?

[tokenizerrr]

Uh, the fact that normal paypal integrations redirect you to a https://paypal.com page that has paypal.com in the url bar, and a green mark for an ssl certificate that says "Paypal, Inc [US]"? Which we have trained everyone to look out for.

[ericras]

If from the beginning users were trained to only login to Paypal if they're on paypal.com. Could be accomplished in this sort of transaction via a new popup window.

Of course, the horse is long out of the barn on this.