DTE Energy is a Detroit, Michigan-based utility company that provides residential and commercial electric and natural gas. Where I’m located, they are the natural gas company we use to heat our homes. Like many other companies, DTE offers a convenient mobile app that lets you pay your utility bill, view your billing statement, and report utility emergencies in your area.
My buddy Ryan Griffin, who assisted in finding and disclosing the vulnerability to DTE, used this app to pay his gas bill and we sat down one night to figure out how it worked. Using Burp Suite, we intercepted the requests being made from the app.
The “View Billing Statement” button in the mobile app brought up the statement in a pdf document , just like the one that comes in the mail. The request looks something like this:
In the GET request to grab the billing statement, there are two numbers in particular that interested us. The first being the account number and the second being the billing statement number. It wasn’t hard to identify each one, as they were both included in the billing statement itself. For this write-up we have blurred out all but the last four digits of each to respect everyone’s privacy.
A normal request will pull up a familiar billing statement with information like this:
The billing statements contain personal information including first and last name, full address, account number, billing statement number, and other goodies.
So how is this exploited? Lets see if the request is vulnerable to insecure direct object references! The screenshots below are from the proof of concept video we sent DTE.
With permission from Ryan’s parents, we were given access to their DTE account to use as a second set of valid account and statement numbers. We tried the request again, this time swapping Ryan’s billing statement number in our original request with his parent’s. Notice the account number in the request is still Ryan’s account.
His mom’s bill.
After we discovered the vulnerability, we compiled a proof of concept video detailing the discovery. We reached out to email@example.com, and also over LinkedIn to a few of the higher up IT and InfoSec professionals. We were contacted back the very next day by Don VanDePutte, Senior IT Security Engineer at DTE. He was very professional and notified the appropriate individuals immediately. DTE was very quick in fixing this vulnerability and didn’t waste time, rolling out a patch in less than a week.
6/9/2015: Attempted contact via LinkedIN and firstname.lastname@example.org
6/10/2015: Received reply back from Don VanDePutte, Senior IT Security Engineer, requesting PoC
6/10/2015: Sent PoC via email to Don
6/10/2015: Received acknowledgment back regarding PoC with appropriate individuals notified
6/15/2015: Received update that the vulnerability has been patched
6/15/2015: Fix Confirmed
A special thanks goes out to DTE Energy for fast communication and quickly patching the vulnerability, Ryan Griffin for helping me find the vulnerability, Ryan’s Parents for giving permission to use their account, and to Randy Westergren for inspiring me to make a blog like his.