Yeah, they don't operate in Latin America. Mercado Pago is Latin America's answer to Stripe, or PayPal, as I think they exist before Stripe came into scene.
I'm still trying to find Mercado Pago's Security section and security vulnerability protocol (e.g. Who do I contact when I find the next security hole?)
Just because they're not doing it like Stripe doesn't mean they're rookies, they also did $7.1 billion in transactions last year. Most companies have pretty obscure/lacklustre security outreach, it's something that's getting a lot more emphasis these days than it used to.
Just because they did $7.1 billion in transactions last year, it doesn't mean they're not rookies.
Most of the big IT companies in this side of the world follow the ideology of "we don't care about doing things correctly, we only care about getting the stuff done" and succeed because of the traction they generate due to the lack of serious competition.
Recently Amazon joined the e-commerce arena in Mexico, but my expectations are that Mercado Libre will follow the footsteps of Ask.com, Source Forge, etc. instead of improving, they have been arbitrarily doing UX anti patterns in the last years in order to protect their income at the expense of the users.
The fact that they allowed such a blatant vulnerability to reach production makes me question their test suite and development process. What else is wrong that we are not seeing?
I expect more transparency and professionalism from a company that processes $7.1 billion in transactions.
Using their authentication mechanism, a user should only get an access token with the right combination of client id and client secret.
For at least 7 hours, anyone could get an access token for any client id, without entering the right client secret. With that access token they could see a lot of information for any account.
TL;DR: You could provide a "lalala" secret, or "whatever", and it would provide you with an actual access token for any client ID you passed for Mercado Pago's production server.
The title should be changed to something like "Latin America's Stripe competitor didn't validate access tokens", almost nobody from outside LATAM will ever know what Mercado Pago is, neither why the discussion of this vulnerability matters.
It's not a bad suggestion, but I'd keep Mercado Pago in the title as well. Mercado Libre/Pago is huge here in Latin America, and I wouldn't have read this post otherwise.