Adobe security engineer Antonio Sanso discovered the flaw over the summer and worked with PayPal since September to fix the issue. The problem was found in the “redirect_uri”” parameter included in server requests exchanged during the OAuth authentication procedure. PayPal fixed the flaw on November 7
Source: Sanso went public with details on his blog. He said that depending on the scope of the scope (permission) the attacker could have had full access to customer accounts.”