Using their authentication mechanism, a user should only get an access token with the right combination of client id and client secret.

For at least 7 hours, anyone could get an access token for any client id, without entering the right client secret. With that access token they could see a lot of information for any account.

TL;DR: You could provide a "lalala" secret, or "whatever", and it would provide you with an actual access token for any client ID you passed for Mercado Pago's production server.