A bug in the API offered by Mercado Pago, the payment system operated by popular online marketplace Mercado Libre, allowed anyone to obtain an access token for any account.
The vulnerability was identified by software development firm Ombu Labs, which discovered it when an integration test designed to ensure that API calls with the wrong user credentials didn't work started failing. In other words, Ombu Labs was able to obtain a Mercado Pago API access token for another user using incorrect authentication information.
With that token, Ombu Labs was able to retrieve sensitive information from an account that didn't belong to it. As Ombu Labs' Ernesto Tagwerker points out, the data exposed by this bug included "information about all the payments that your account had received since you started using the service" as well as "information about your clients, their DNI, name, phone number."
Most worrisome, the nature of the bug made it highly exploitable by just about anyone capable of using the Mercado Pago API.
Ombu Labs reported its discovery to Mercado Libre on April 17, and it was fixed within seven hours, but according to Tagwerker, Mercado Libre never disclosed information about the incident to Mercado Pago users.
"It's hard to understand how such a big payment processor never published information about this security hole. I would expect them to know if some information was accessed by people who didn't have access to it," he wrote. "They could check their access logs and see who accessed their API using a secret that wasn't the right one. Then they could inform their customers of this problem and warn them about this situation."
Even if Mercado Libre determined that the security hole was not used by anyone else to obtain unauthorized access to accounts, it is surprising that information was not distributed publicly given the serious nature of such a vulnerability. It's even more surprising that such a serious security hole made it into production.
This highlights the importance of adopting a thorough API development cycle, and ensuring that robust testing is a part of it. The good news for API providers is that tools designed specifically for API development have grown significantly in number and sophisticated in recent years, so there's no excuse for bugs like the one that affected Mercado Pago's API to ever creep into a production deployment.