An XSS hole could apparently have allowed a crook to pop up a realistic PayPal "pay page" and steal the victim's card data. Paul Ducklin takes a look...