Unsafe deserialization leads to token leakage in PayPal & PayPal for Business [Android]

A Bug Bounty researcher identified an issue where a JSON wrapper could be used to instantiate arbitrary Java objects. This could lead to circumstances where a class called in the PayPal Android app could be read by a malicious app on the same mobile device. A specific user’s session data could potentially be disclosed, including API tokens. PayPal’s investigation found no evidence of abuse due to this bug, and the issue was resolved on November 15, 2019.