I've seen this on quite a few websites that use paypal. If you have ever come across a site that has a 'You are now being redirected to Paypal, please wait' page inbetween the checkout and paypal then you will probably see something similar if you quickly hit ctrl+S.
PayPal tell you to check when you get the payment confirmation through to check the checkout ID against your own records for what the transaction should have been, but I have fixed just such vulnerabilities in my work before.
They exploited the fact that people didn't change the default passwords on their voicemail (e.g. 1234) and so were able to access them remotely using the same system a legitimate user who needed to access their voicemail remotely would use.
Not quite as bad but it is also possible to get a user's IP address just by sending them a friend request. This has been known about and exploited for months, possibly over a year. It's meant that high profile users of Skype on sites like youtube or twitch.tv have to keep their skype private and/or connect to it specifically with a proxy to avoid getting DDOSed