MercadoPago Credentials Detector

[random-robbie]

TruffleHog Feature Request: MercadoPago Credentials Detector

Please review the Community Note before submitting

Description

MercadoPago is one of the largest payment processing platforms in Latin America, processing billions of dollars in transactions annually. It's widely used across Argentina, Brazil, Mexico, Chile, Colombia, Peru, and Uruguay. Currently, TruffleHog does not have a detector for MercadoPago credentials, which poses a significant security risk as these credentials provide full access to merchant payment processing capabilities.

I discovered MercadoPago production credentials exposed via an unsecured Kubernetes kubelet endpoint, highlighting the real-world need for automated detection of these secrets.

Preferred Solution

Implement a new detector for MercadoPago credentials that can identify and verify the following credential types:

1. Access Token (Secret Credential)

Pattern: APP_USR-{user_id}-{date}-{hash}__LA_LD__-{merchant_id}

Format Details:

• Prefix: APP_USR-
• User ID: 16-digit numeric identifier
• Date: 6-digit format (MMDDYY)
• Hash: 32-character hexadecimal string
• Region marker: __LA_LD__ (Latin America - Live Data)
• Merchant ID: Variable length numeric identifier

Example Pattern:

APP_USR-1234567890123456-010122-a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6__LA_LD__-987654321

Regex Suggestion:

APP_USR-\d{16}-\d{6}-[a-f0-9]{32}__[A-Z]{2}_[A-Z]{2}__-\d+

2. Public Key (Low-risk but useful for context)

Pattern: APP_USR-{uuid}

Format Details:

• Prefix: APP_USR-
• UUID: Standard UUID format (8-4-4-4-12 hex format)

Example Pattern:

APP_USR-12345678-1234-1234-1234-123456789abc

Regex Suggestion:

APP_USR-[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}

3. Client ID (Context identifier)

Pattern: Custom string identifier (e.g., example_merchant)

This is typically a merchant-specific identifier and less critical but useful for context.

Verification Method

MercadoPago credentials can be verified using their REST API:

Endpoint: https://api.mercadopago.com/v1/payments/search

Method: GET

Headers:

Authorization: Bearer {ACCESS_TOKEN}

Test Request:

curl -X GET \
  'https://api.mercadopago.com/v1/payments/search?sort=date_created&criteria=desc&range=date_created&begin_date=NOW-1DAYS&end_date=NOW' \
  -H 'Authorization: Bearer APP_USR-1234567890123456-010122-a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6__LA_LD__-987654321'

Expected Responses:

• Valid credential (200 OK): Returns JSON with payment data or empty results array
• Invalid credential (401 Unauthorized): Returns error with message: "invalid_token" or message: "malformed_access_token"
• Expired credential (401 Unauthorized): Returns error with message: "expired_token"

Success Response Example:

{
  "paging": {
    "total": 0,
    "limit": 30,
    "offset": 0
  },
  "results": []
}

Failure Response Example:

{
  "message": "invalid_token",
  "error": "unauthorized",
  "status": 401
}

Impact & Risk Level

Severity: HIGH

Exposed MercadoPago credentials allow attackers to:

• View all transaction history and customer payment data
• Process refunds without authorization
• Create new payment links and collect payments
• Modify merchant account settings
• Access customer PII (names, emails, payment methods)
• Potentially withdraw funds depending on account permissions

Additional Context

Common Environment Variable Names

MercadoPago credentials are typically stored in environment variables or configuration files with these naming patterns:

• MERCADO_PAGO_ACCESS_TOKEN
• MERCADOPAGO_ACCESS_TOKEN
• MP_ACCESS_TOKEN
• MERCADO_PAGO_PUBLIC_KEY
• MERCADOPAGO_PUBLIC_KEY
• MP_PUBLIC_KEY
• MERCADO_PAGO_CLIENT_ID
• MERCADO_PAGO_CLIENTID
• MERCADOPAGO_CLIENT_SECRET (for OAuth flows)

Real-World Discovery Context

These credentials were discovered in:

• Kubernetes pod environment variables exposed via kubelet API (port 10255)
• Application: Production e-commerce/travel booking system
• Location: Environment variables in container specifications

Example Credentials Format

The following demonstrates the typical format of MercadoPago credentials as found in environment variables:

# Access Token (Secret) - Example format only
MERCADO_PAGO_ACCESS_TOKEN=APP_USR-1234567890123456-010122-a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6__LA_LD__-987654321

# Public Key - Example format only
MERCADO_PAGO_PUBLIC_KEY=APP_USR-12345678-1234-1234-1234-123456789abc

# Client ID - Example format only
MERCADO_PAGO_CLIENTID=example_merchant

# Transaction Prefix (merchant context)
MERCADO_PAGO_TRANSACTION_PREFIX=MPT

Discovery Context: These credential patterns were observed in production Kubernetes environments exposed via unsecured kubelet APIs, demonstrating real-world exposure scenarios.

References

• MercadoPago API Documentation: https://www.mercadopago.com/developers/en/docs/checkout-api/landing
• Authentication Guide: https://www.mercadopago.com/developers/en/guides/authentication
• API Reference: https://www.mercadopago.com/developers/en/reference
• Credentials Management: https://www.mercadopago.com/developers/panel/credentials
• SDKs Available: Node.js, Python, Java, .NET, Ruby, Go, PHP

Similar Existing Detectors

TruffleHog already has detectors for similar payment processors:

• Stripe (API keys with sk_live_ prefix)
• Square (OAuth tokens)
• PayPal (Client ID/Secret pairs)

The MercadoPago detector would follow a similar pattern but with the unique APP_USR- prefix format.

Geographic Importance

MercadoPago is the dominant payment platform in Latin America, comparable to Stripe's position in North America. Companies using MercadoPago include:

• E-commerce platforms across LATAM
• Travel booking systems
• Marketplace applications
• SaaS products targeting Latin American markets

Given its market dominance in the region, detecting exposed MercadoPago credentials would provide significant security value for organizations operating in or serving Latin American markets.

---