Windows enthusiast site, MSFN.org, have highlighted a rather serious problem with PayPal's email removal feature.
Most emails sent from corporations have "removal" links to comply with anti-spam legislation in the USA. On clicking the link sent out by PayPal, users can remove themselves from future mailings from the company. However, the system used to do this suffers from a lack of proper input validation and security. By changing elements of the URL, a malicious user can reveal other PayPal user's email addresses. The problem exposes a serious flaw in the system.
The potential for damage is serious; ever inventive spammers already harvest email addresses from websites on a massive scale and it would take only the most basic of tools to gain a large list of PayPal email addresses. Exactly how exposed PayPal have left their users is not yet known. Neowin was able to manually gain the email addresses of 20 users within 5 minutes. Interestingly, although it's possible to unsubscribe a user, PayPal still hold their email address on file. So far, PayPal have not released a fix for the problem, and have not responded to our inquiries.
PayPal, now owned fully by eBay, have "56 million account members worldwide", and are "available in 45 countries" around the world. PayPal is a member of BBOnline, and TRUSTe, two privacy groups. BBOnline's terms state that member sites "must have appropriate security measures in place to prevent unauthorized electronic access".
Update : PayPal have now closed up the hole; they've yet to reply to concerns about their data security policy.