Oh man. Security is hard, and I expect security flaws to be found in almost any software.
But these don't _seem_ to be flaws that you'd have if you were spending as much money/resources/prioritization on security as I'd expect a business in Paypal's business to be spending.
Maybe, but maybe it is strategy rather than money.
This exploit is the result of several bugs in different systems coming together into one "super bug." If you have the same developers who wrote the code go back over that same code they may not spot the bugs.
Microsoft do code reviews but they also do fuzzing, unit testing, path diagrams, and other methods with the hope that each type of testing will uncover different bugs. However when you have bugs caused by multiple systems working together badly, it might be better solved by policy (e.g. this ONE piece of code does all of our CSRF from now on, no re-implementing it five different times).
it wouldn't surprise me if companies such as paypal have moles who actively compromise software through subtle means. if it can happen in the government it can definitely happen in a huge software company.
But these don't _seem_ to be flaws that you'd have if you were spending as much money/resources/prioritization on security as I'd expect a business in Paypal's business to be spending.
Am I wrong?