Vulnerability Note VU#713312
DTE Energy Insight app vulnerable to information exposure
Original Release date: 11 Mar 2016 | Last revised: 14 Mar 2016

Overview
The DTE Energy Insight app API allows an authenticated user to obtain and query certain limited customer information from other customers.

Description
CWE-200: Information Exposure – CVE-2016-1562
The DTE Energy Insight app lets DTE Energy customers track their energy usage.

This information is exposed via an HTTP REST API.

The API contains a parameter ‘filter’ that may be manipulated by an authenticated user.

This parameter determines the customer data to be returned by the server.

By manipulating the ‘filter’ parameter, an authorized user may be able to obtain and query limited customer information for other users.

The researcher has released a blog post with more details.

Impact
A remote, authenticated user may be able to obtain limited information about other customers.

Solution
DTE Energy has updated its Insight server backend to mitigate this issue.

The researcher has confirmed that the APIs no longer allow access to other data.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedDTE EnergyAffected03 Feb 201601 Mar 2016If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
4.0
AV:N/AC:L/Au:S/C:P/I:N/A:N

Temporal
3.1
E:POC/RL:OF/RC:C

Environmental
2.3
CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

CVE-2016-1562: Unauthenticated “filter” parameter leads to customer information leak in the DTE Energy Insight app


https://play.google.com/store/apps/details?id=com.dteenergy.insight&hl=en

Credit

Thanks to Jeffrey Quesnelle for reporting this vulnerability.
This document was written by Garret Wassermann.

Other Information

CVE IDs:
CVE-2016-1562

Date Public:
10 Mar 2016

Date First Published:
11 Mar 2016

Date Last Updated:
14 Mar 2016

Document Revision:
39

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.