CVE-2016-1562

Vulnerability

The DTE Energy Insight Android application (versions before 1.7.8) exposes an HTTP REST API that allows authenticated users to query customer energy usage data. The API includes a filter parameter that is vulnerable to SQL expression injection. By crafting a malicious SQL expression in this parameter, an authenticated user can retrieve limited customer information belonging to other users [1].

Exploitation

An attacker must first authenticate as a legitimate user of the DTE Energy Insight app. Once authenticated, they can send HTTP requests to the REST API with a manipulated filter parameter containing arbitrary SQL expressions. The server processes these expressions without proper sanitization, allowing the attacker to query data outside their own account [1].

Impact

A successful attack results in the exposure of limited customer information (such as energy usage details) for other DTE Energy customers. The vulnerability is classified as CWE-200 (Information Exposure) and has a CVSS v3 base score of 4.3 (Medium). The attacker does not gain administrative privileges or the ability to modify data [1].

Mitigation

DTE Energy updated the Insight server backend to mitigate the issue, and the researcher confirmed that the APIs no longer allow access to other data. The fix is included in app version 1.7.8 and later. Users should update to the latest version from the official app store. No workaround is available for earlier versions [1].