Security is hard. I think the more important thing here is that Paypal fixed it quickly and honored the bug bounty. I'd be more worried if they tried to shove it under the rug.
Secuirty is hard. But activating tokens before a user has actually logged in is a breathtakingly incompetent, fundamental design flaw. How such code ever made it into the production code base of a company responsible for protecting billions of dollars along with financial information for a significant portion of the world is incomprehensible. It makes me wonder what else is lurking over there.
Secuirty is hard. But activating tokens before a user has actually logged in is a breathtakingly incompetent, fundamental design flaw. How such code ever made it into the production code base of a company responsible for protecting billions of dollars along with financial information for a significant portion of the world is incomprehensible. It makes me wonder what else is lurking over there.