First reported by Eduard Kovacs, the vulnerability can be exploited remotely and did not require any user interaction.
“After testing the web application paypal.com I discovered that if you have a US account and the following page is visited, you can add a new email from that page. The problem is even [though] the e-mail you try to add to your account is already registered with PayPal the new e-mail will be added into your account as unconfirmed,” the researcher said.
“After you added an existing email to your account, if you go to the account profile and you delete the unconfirmed email, the original account will be deleted too,” he further added.
The attacker can now create new account with the same username once the account is deleted. Of course, the account will not contain any balance and is unverified.