published early on 2024/12/30 because I’ve been at 38c3 and am too busy travelling and not having reliable connectivity to post it on time

A photo of downed power lines on a road.

A dramatic cover photo of a down power line on a road that I took during the storm.

Disclosure Notice

At the time of writing, it is currently Wednesday, November 20th 2024. My power is currently out due to the “Bomb Cyclone”. This is being written in advance, and is planned to be published January 1st, 2025, by which time this should be resolved and have been disclosed by Puget Sound Energy to their customers in accordance with Washington state law.

Details on this breach were sent to PSE’s contacts listed on their ARIN registration, as well as their privacy@pse.com email at 22:27 Nov 19, 2024, and forwarded to the IT Infrastructure manager and CIO at 00:02 Nov 20, 2024. It was acknowledged by a member of their security staff via e-mail at 13:08 Nov 21, 2024.

What is PSE?

Puget Sound Energy is a large utility company, providing residential and commercial gas and electric service. They claim to be Washington’s oldest local energy company, and serve 1.1 million electric customers and 900,000 gas customers across 10 counties in the Puget Sound region. They have been criticized for being held by foreign investment groups since 2007.

What happened?

Last night, November 19th, I was sitting at a restaurant avoiding the storm and checking the Puget Sound Energy outage map, watching the number of impacted customers keep rolling up. PSE’s outages were so bad that the outage map on their website was having an outage from being overloaded by the sheer amount of traffic.

We got curious, and looked at some of the resources the page loads, a notable one being https://www.pse.com/api/sitecore/OutageMap/AnonymoussMapListView.

The AnonymoussMapListView URL returns a JSON file with a few keys in it:

  • “Common” - broad information about current outages, like current impact
  • “PseMap” - information about every individual outage, the current phase of repair, the number of customers impacted, and the coordinates to draw a polygon on the map
  • “CustomerProfile” - something that’s meant to show information about your specific outage.

CustomerProfile is the interesting one, which we’ll be focusing on. If you’re logged out, this should be null. This is the source of information for an additional “My Outage” pane that shows up if you’re logged in.

It just so happened that at the time we were peeking at the requests and their responses, we noticed that CustomerProfile was populated. With someone’s information.

It wasn’t hard to figure out what the deal was, the requests were coming back with x-cache: Hit from cloudfront in the headers. The server had been misconfigured to allow Cloudfront to cache API calls by authenticated users, then serving them out to all of the people who loaded the same page from the same Cloudfront node for the next minute, and we just happened to hit it at the right time to see someone else’s cached data, being served to us by the Cloudfront node SEA900-P6.

Tom Scott made an excellent video summarizing a very similar incident the video game market and distribution site Steam had on Christmas 2015, which you can watch here: https://www.youtube.com/watch?v=dkSslseq9Y8

What’s the damage?

It’s hard to know an exact scale of the damage or who was impacted. Looking through some DNS history in SecurityTrails, they’ve been using Cloudfront since at least 2019, and the site has been calling the AnonymoussMapListView API since the current redesign launched in (apparently) 2019. I’m not sure what the cache headers have looked like going back that long, but it’s possible this has been leaking user data for several years and has gone unnoticed.

From November 19th to November 20th, we polled 25 instances where CustomerProfile came back populated with unique customer data.

The CustomerProfiles that were distributed by the misconfigured cache contained the following customer information:

  • E-mail
  • Phone Number
  • Service address
  • City
  • Zip Code
  • Latitude and Longitude of the customer premises
  • Premises ID

A complete example of a (sanitized) populated CustomerProfile object is available here. The information contained within the CustomerProfile object has been replaced with the address, coordinates, etc. of the Puget Sound Energy headquarters or otherwise been replaced with non-sensitive space-filler information.

For comments or inquiries, please contact sec@en0.io