"I realised that it’s a Java serialised object without any signature handled by the application [which] means that you can send serialised object of any existing class to a server and 'readObject' or 'readResolve' method of that class will be called"
So basically you can send any old bytecode down the line and have it executed. Brilliant. Is this a Paypal bug or a java bug?