Today we discovered a bug in our freelance script that allowed someone to add funds to their account without actually paying for it. The problem is with PayPal. The "programmer" who wrote this script actually sends the complete URL with the order authorization in the address bar. So all someone has to do is take out the return URL, and the funds are added.
Need it fixed asap. I can provide the URL via PBM.