PayPal: XSSI on refer.xoom.com allows stealing email addresses and posting to Twitter on behalf of victim

Due to a cross-origin configuration, the application at refer.xoom.com could be embedded in script tags on other websites. If a malicious site were open in the same browser as refer.xoom.com, the malicious site could see and extract data from the referral page. This included the email addresses...