Mercado Libre's public API exposed user profiles without any form of authentication or rate limiting. This misconfiguration made it possible to conduct large-scale user enumeration attacks. Using only sequential user IDs, attackers could extract personal information such as usernames, account types, geographic locations, and profile permalinks. Alias Robotics, through its CAI (Cybersecurity AI) framework, created an automated testing methodology to explore this vulnerability and assess its potential impact.
The CAI-driven exercise included rapid API requests using concurrent threads to emulate an adversary collecting user data at scale. The exercise successfully retrieved detailed account metadata from hundreds of users, proving the viability of mass data harvesting. The resulting insights serve as a compelling demonstration of a bug bounty exercise.
In this video, we leverage CAI (Cybersecurity AI) to automate the enumeration of Mercado Libre user accounts. The footage captures the real-time gathering of user data by issuing thousands of requests against the unauthenticated API. The lack of rate limiting or CAPTCHA enforcement is highlighted, showcasing how attackers could exploit this behavior to scrape user profiles for malicious purposes or competitive intelligence.
CAI represents the first open-source framework specifically designed to democratize advanced security testing through specialized AI agents. By 2028, most cybersecurity actions will be autonomous, with humans teleoperating, making CAI's approach to AI-powered vulnerability discovery increasingly critical for organizational security. The framework transcends theoretical benchmarks by enabling practical security outcomes. CAI achieved first place among AI teams and secured a top-20 position worldwide in the "AI vs Human" CTF live Challenge, earning a monetary reward and various other prizes and bounties ever since then. This performance demonstrates that AI-powered security testing can compete with and often exceed human capabilities in vulnerability discovery.
Explore CAI's source code ❯Mercado Libre is Latin America's largest e-commerce and fintech ecosystem, operating in over 18 countries including Argentina, Brazil, Mexico, and Chile. Founded in 1999, the platform facilitates millions of daily transactions by providing a wide range of services including online retail, digital payments (via Mercado Pago), logistics solutions, and advertising. With over 100 million active users, Mercado Libre handles sensitive user data and financial transactions at massive scale.
Given its expansive user base and integration with banking infrastructure, Mercado Libre represents a high-value target for cybersecurity threats. As the platform continues to scale and innovate, ensuring robust API security and data privacy has become critical. This case study explores a vulnerability in their user-facing API that could expose personal information at scale if left unmitigated.
10
2.38 €
Mercado Libre's publicly exposed user API permitted unrestricted access to user profile data without requiring authentication tokens or anti-bot controls. This misconfiguration enabled attackers to enumerate user accounts using sequential IDs. During the test, Alias Robotics simulated a real-world adversary, collecting over 100 user records in under a minute. The absence of rate limiting, along with exposed metadata, highlighted the potential for large-scale user data harvesting and increased phishing campaign risk.
To validate and demonstrate the risk, the CAI framework was deployed to script and run enumeration attacks in a controlled environment. By using multi-threaded concurrent requests and dynamic progress tracking, CAI provided concrete evidence of the vulnerability's scale and impact. Key metrics such as enumeration success rate, location-based user distributions, and response latencies were recorded. These results provided actionable intelligence for reporting the issue to Mercado Libre's security response team.
