Anytime session data is exposed it's going be bad. While "exploring" the flow of PayPal authentication a researcher found just that. In what is known as a cross-site script inclusion (XSSI) attack, a malicious web page can use an HTML <script> tag to import a script cross-origin, enabling it to gain access to any data contained within the file. What is cool about this one is the fact that although a Javascript obfuscator was used to randomize variable names on each request, the interesting tokens were still placed in fairly predictable locations, making it possible to retrieve them. It's another great story of how a bug bounty program saved PayPal from imminent self-destruction.