search menu icon-carat-right cmu-wordmark

CERT Coordination Center


DTE Energy Insight app vulnerable to information exposure

Vulnerability Note VU#713312

Original Release Date: 2016-03-11 | Last Revised: 2016-03-14

Overview

The DTE Energy Insight app API allows an authenticated user to obtain and query certain limited customer information from other customers.

Description

CWE-200: Information Exposure - CVE-2016-1562

The DTE Energy Insight app lets DTE Energy customers track their energy usage. This information is exposed via an HTTP REST API.

The API contains a parameter 'filter' that may be manipulated by an authenticated user. This parameter determines the customer data to be returned by the server. By manipulating the 'filter' parameter, an authorized user may be able to obtain and query limited customer information for other users.

The researcher has released a blog post with more details.

Impact

A remote, authenticated user may be able to obtain limited information about other customers.

Solution

DTE Energy has updated its Insight server backend to mitigate this issue. The researcher has confirmed that the APIs no longer allow access to other data.

Vendor Information

713312
Expand all

DTE Energy

Notified:  February 03, 2016 Updated:  March 01, 2016

Statement Date:   February 26, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

DTE Energy has released version 1.7.8 to resolve the reported vulnerability. Ensure your device is updated to the latest version of this app.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N
Temporal 3.1 E:POC/RL:OF/RC:C
Environmental 2.3 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Jeffrey Quesnelle for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2016-1562
Date Public: 2016-03-10
Date First Published: 2016-03-11
Date Last Updated: 2016-03-14 14:28 UTC
Document Revision: 39

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.