This doesn't appear to work, whether I'm logged in or not. I'm pretty shocked that it ever did. Almost every automated scanning tool catches this, and Paypal has an in-house security team.
Article authors seem to be confused by the phrase: "Pass quarterly remove vulnerability scans". From what I know about PCI compliance, this is probably just a mistype and not indicative of anything actually meaningful. PCI compliance usually requires a quarterly security scan from a certified vendor. (The "Hacker Proof" "Hacker Safe" and similar badges are from these same services or similar.) These scans check your server(s) from the outside against a large panel of known-vulnerable software versions and common dangerous practices. They're useful tools, but no one should be misled into thinking they actually demonstrate security. The scans are typically passive only and don't do anything that could actually exploit a vulnerability or that require interacting with your site in any interesting way (such as logging in).
And it's not (as the article authors supposed) about removing vulnerabilities found in previous scans--you get the same (though updated) set of tests each scan and either pass or fail each time. Should you happen to fail, though, you can just upgrade, protect, or remove the problematic software (or make it hide its version number) and get scanned again until you pass.
These scanners are pretty much worthless. They are written by script kiddies for accountants who pretend they know something about IT when most of them have never administered a system.
Has anyone used Amazon payments on a site? Would you consider it a viable alternative to paypal now or in the future for donations, subscriptions, ebooks, etc. ?
They also don't seem to escape eBay auction names properly, in IPN notifications at least. If you have an auction name with & in it then that gets stuck straight into the URL encoded IPN body. You'd think this would be the sort of thing they'd really want to get right.
