

Latin America's Stripe competitor (Mercado Pago) API Security Hole - etagwerker
http://www.ombulabs.com/blog/security/mercado-pago-security-vulnerability.html?utm_source=twitter

======
mauro_oto
It's amazing given how big they are in Latin America how this went by
unnoticed.

~~~
etagwerker
Yes. I wish they were more like Github or Stripe about disclosing this sort of
information.

------
wzy
Does Stripe operate in Latin America? How can they be competitors?

~~~
mauro_oto
Yeah, they don't operate in Latin America. Mercado Pago is Latin America's
answer to Stripe, or PayPal, as I think they exist before Stripe came into
scene.

~~~
benologist
Mercado Pago is 11 years old and part of the 16 year old Mercado Libre, which
is like eBay and the number 1 Latin American ecommerce site.

~~~
etagwerker
Yeah, Mercado Pago has been around more than Stripe, but they are still
rookies when it comes to their platform's security.

See Stripe's Security section:
[https://stripe.com/help/security](https://stripe.com/help/security)

I'm still trying to find Mercado Pago's Security section and security
vulnerability protocol (e.g. Who do I contact when I find the next security
hole?)

~~~
benologist
Just because they're not doing it like Stripe doesn't mean they're rookies,
they also did _$7.1 billion_ in transactions last year. Most companies have
pretty obscure/lacklustre security outreach, it's something that's getting a
lot more emphasis these days than it used to.

~~~
etagwerker
Maybe rookies wasn't the right word.

The fact that they allowed such a blatant vulnerability to reach production
makes me question their test suite and development process. What else is wrong
that we are not seeing?

I expect more transparency and professionalism from a company that processes
$7.1 billion in transactions.

~~~
benologist
It's not unreasonable to expect better transparency, that's something that's
improving too slowly. We don't even know if this was exploited yet and it's
been a couple months and there's always a lot of opacity around hacking
incidents.

Security is hard and accidents are easy, dropbox once had a four hour period
where they didn't verify passwords!

[http://techcrunch.com/2011/06/20/dropbox-security-bug-
made-p...](http://techcrunch.com/2011/06/20/dropbox-security-bug-made-
passwords-optional-for-four-hours/)

~~~
etagwerker
That is pretty embarrassing too and even a bigger vulnerability, but Dropbox
released a statement about it.

I believe that owning up to your mistake and being transparent about it can
only make your customers trust you more. What worries me is that Mercado Pago
is huge and they never released a statement about this issue. I hope that they
change this policy soon.

------
pbreit
So what was the glitch?

~~~
etagwerker
Using their authentication mechanism, a user should only get an access token
with the right combination of client id and client secret.

For at least 7 hours, anyone could get an access token for any client id,
without entering the right client secret. With that access token they could
see a lot of information for any account.

------
sogen
eBay is the largest common stocks owner in MercadoLibre

------
Aldo_MX
The title should be changed to something like "Latin America's Stripe
competitor didn't validate access tokens", almost nobody from outside LATAM
will ever know what Mercado Pago is, neither why the discussion of this
vulnerability matters.

~~~
the_af
It's not a bad suggestion, but I'd keep Mercado Pago in the title as well.
Mercado Libre/Pago is huge here in Latin America, and I wouldn't have read
this post otherwise.

~~~
etagwerker
I've updated the post title with your suggestions. Thanks!

