neobotnet / blog / company-of-the-week
company of the week·8 min read

company of the week: mercado libre

mercado libre locks the storefront down hard — short-lived expired tokens, 403s everywhere, no secrets. then its back office, adminml.com, narrates its own internals in public.

Mercado Libre is Latin America's everything-store: the marketplace, the wallet (Mercado Pago), the storefront builder that lets a merchant run their own shop on its rails (Mercado Shops), and the shipping network underneath (Mercado Envíos, plus the Kangu logistics brand it folded in) — roughly ten countries run off one estate. It runs a public bug bounty on HackerOne, which puts that estate in scope for outside research.

neobotnet was pointed at it. What follows isn't an exploit — it's the shortlist a researcher would build before trying one. The full index is in /urls. The short version: the part of Mercado Libre that customers touch is locked down hard. The part that staff touch is the part that talks.

37
in-scope roots
5,005
dns resolved
1,324
live web servers
56
technologies
97,926
urls indexed

read from dns: four companies in one zone

Thirty-seven root domains, and you can read the whole business off them before probing a single host. They sort into four products and a spine:

  • the marketplacemercadolibre.com and its country sites (.com.ar, .com.mx, .com.co, .com.pe, .com.uy, .cl), plus mercadolivre.com.br. Brazil is the one market that spells it "livre" — Portuguese for free — and the domain follows the language.
  • the walletmercadopago.com and the same country spread. This is the regulated, money-moving half: Mercado Pago is roughly the Latin-American PayPal.
  • the storefront buildermercadoshops.* across thirteen countries, the Shopify-style product a merchant uses to run their own shop on Mercado Libre's infrastructure.
  • the shipping networkkangu.com.br, kangu.tech, and gokangu.*: a logistics company Mercado Libre absorbed, whose brand kept its own domains.

Two more names aren't products. mlstatic.com is the static-asset CDN — where images and JavaScript bundles live. And adminml.com is the back office. Hold onto that one.

The corpus later adds a brand the DNS doesn't: portalinmobiliario.com, Mercado Libre's Chilean real-estate business, which surfaces only inside the company's own redirect URLs. One company keeps showing you new business lines from inside its own links.

read from http: a front built to take a beating

The live surface is 1,324 hosts answering HTTP 200 out of roughly 4,700 probed — and the single most common response across the whole indexed corpus isn't 200, it's 403: more than half of the ~90,000 URLs neobotnet has on file are forbidden. For a surface this size, that's a front line that mostly says no.

What's holding the line is partly home-built. The two most common server fingerprints aren't off-the-shelf: Tengine — the nginx fork Alibaba open-sourced — on about 1,030 hosts, and Envoy — a service-mesh proxy — on about 970, sitting in front of Amazon CloudFront and a React frontend. Mercado Libre runs its own edge and its own service mesh rather than renting one. That's the profile of a company with the engineers to build their own plumbing, and it shows in how little leaks from the consumer side.

So the interesting reading isn't the front door. It's the staff entrance.

read from the back office: adminml.com

adminml.com is one of the 37 in-scope roots, and it's Mercado Libre's internal estate — 239 hosts neobotnet reached from the open internet. The good news for Mercado Libre first: 199 of those 239 sit behind a Google Workspace sign-in (the page titled Sign in - Google Accounts). The control is mostly there. You can't click into these tools without a corporate Google account.

But a login page stops you from using a system. It doesn't stop you from reading it — and the back office reads like an internal wiki:

  • the org chart, by hostname. envios.adminml.com (shipping), cx-coco-fe-prod.adminml.com (customer-care), shipping-bo.adminml.com (a shipping back-office), xtools.adminml.com, a scarif service, an alfred service, and a couple of hosts titled MELI GPT (an internal LLM tool). Each name is a team and a system, published before you authenticate to any of them.
  • three identity systems, not one. Most of the estate is Google Workspace, but two more sit alongside it: an Okta tenant (auth-meli.adminml.com, okta-login-shipping.adminml.com) and an Auth0 tenant (auth.mercadolibre.adminml.com, issuing standard authorize flows for openid profile email). Three front doors to one building means three sets of rules that all have to be right.
  • the non-production copies are reachable too. auth-testing-meli.adminml.com and auth-preprod-meli.adminml.com resolve and answer from the public internet. A test identity tenant is the soft version of the real one — likelier to carry test accounts and relaxed MFA — and here it's a hostname anyone can find.
  • the api shapes are in the crawl. Even gated, the request patterns neobotnet captured describe the back-office API: a file endpoint keyed by container and filename (/api/drive/attachments?container=cx_drive&filename=…), a shipping files endpoint keyed by serviceId and transactionId, and a user-search tool (/tools/auth/users?search=…). Those are three of the first shapes a researcher tests for broken access control — read a file you shouldn't, swap an ID for someone else's record, query a directory that should be closed. neobotnet surfaces the shape; whether each endpoint actually enforces the login in front of it is the part you'd confirm by hand.

None of this is a way in. It's the map you'd draw before looking for one — and Mercado Libre drew it for you, in DNS and request logs.

explore the back office in /urls →

mercado libre's internal back-office estate, adminml.com, indexed in /urls

read from the urls: tokens where they shouldn't be

The URL corpus carries 1,574 JSON Web Tokens — signed, tamper-evident tokens — sitting in a query parameter named signed. Decode one and it's reassuring: it's a Mercado Shops "check-session" token, issued by the storefront frontend, valid for exactly thirty seconds, and every one neobotnet holds expired in January 2023. The payload carries no personal data — just a callback URL and the issuing store. This is close to how you'd want a URL token to behave: short-lived, scoped, disposable. The only real smell is that it rides in the URL at all, where it lands in server logs, browser history, and an outside crawler's index. The tokens are dead and the fix is small; the pattern is what's worth retiring.

see the signed tokens in /urls →

1,574 signed jwts sitting in a signed= url parameter, in /urls

The tokens worth a longer look are on the money side. Across Mercado Pago and the marketplace, neobotnet caught bearer-style tokens riding in query strings on exactly the flows where they'd hurt most: /registration-confirm/confirm?token= and a Mercado Pago login at /jms/mpe/lgz/login?token= (both returning some 200s), /refunds/confirm?token=, /gz/checkout/buy?token=, and /account/change_ownership?rtk= — a 762-character refresh-style token on an account-ownership change. One endpoint on .com.ar, /jm/searchXml, takes a literal pwd= parameter. A token or a password in a URL is the same problem as the expired Shops tokens, but on flows that move money and accounts: it leaks through the Referer header to every third-party script on the page, through CDN and proxy logs, and through history. Whether any one is replayable is the researcher's job; that they travel in URLs at all is neobotnet's.

see the tokens and credentials in /urls →

bearer tokens and credentials in url parameters on payment and account flows, in /urls

One signal that looks worse than it is: the go redirect parameter, on 159 hosts, with 784 cross-domain values — the classic open-redirect shape. Read the destinations and they're almost all Mercado Libre's own: myaccount.mercadolibre.*, www.mercadopago.*, the listing and questions subdomains, plus social-share links to Twitter, YouTube, and Instagram. go is Mercado Libre's house redirect parameter, and it mostly points home. A redirect that controls navigation across 159 hosts is still worth testing for the one validation gap — but this is a signal, not a finding.

see the redirect parameters in /urls →

the go redirect parameter and same-domain redirect signals, in /urls

what it adds up to

The consumer estate is genuinely well-built: a home-grown edge, more than half the surface forbidden by default, JWTs that expire in thirty seconds, and a back office that mostly sits behind Google sign-in. Mercado Libre is not leaking secrets. What it's leaking is structure — and three things rank above the rest for anyone working the program:

  1. the non-production auth tenants on adminml.comauth-testing-meli and auth-preprod-meli, reachable from the internet. Start here; test identity is where production rules go to relax.
  2. the back-office API shapes — the file-by-filename, record-by-transactionId, and search= user tool. If any one of them answers behind the SSO with a weaker check than the login implies, that's broken access control on internal data.
  3. tokens and a password in URLs on payment and account flows — dead today, but the pattern outlives the tokens that prove it.

Two things stated plainly, the way this series always closes. Every item above is a signal, not a confirmed vulnerability — neobotnet surfaces the shape; confirming exploitability is the researcher's job. And the right destination for anything live is Mercado Libre's HackerOne program, not a blog post.

next week

neobotnet runs the same pass on a different in-scope program every week. Subscribe via RSS or browse the company of the week archive.

share on x share on hn share on linkedin rss

spotted something interesting or wrong? sam@neobotnet.com.