Vulnerability Note VU#713312
DTE Energy Insight app vulnerable to information exposure
The DTE Energy Insight app API allows an authenticated user to obtain and query certain limited customer information from other customers.
CWE-200: Information Exposure - CVE-2016-1562
The DTE Energy Insight app lets DTE Energy customers track their energy usage. This information is exposed via an HTTP REST API.
A remote, authenticated user may be able to obtain limited information about other customers.
DTE Energy has updated its Insight server backend to mitigate this issue. The researcher has confirmed that the APIs no longer allow access to other data.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|DTE Energy||Affected||03 Feb 2016||01 Mar 2016|
CVSS Metrics (Learn More)
Thanks to Jeffrey Quesnelle for reporting this vulnerability.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2016-1562
- Date Public: 10 Mar 2016
- Date First Published: 11 Mar 2016
- Date Last Updated: 14 Mar 2016
- Document Revision: 39
If you have feedback, comments, or additional information about this vulnerability, please send us email.