Bulgarian IT expert arrested after demoing vulnerability in kindergarten software

June 30, 2019

Bulgarian authorities have arrested an IT specialist for demonstrating a security flaw in the software used by local kindergartens.

The vulnerability allowed the IT expert, named Petko Petrov, to download the details of 235,543 citizens of Stara Zagora, a province in central Bulgaria with over 333,000 inhabitants.

Petkov demoed the security flaw in a video he posted on Facebook earlier this week, on June 25.

The video shows Petkov launch an automated attack against the local municipality’s web portal where parents can sign up children for kindergarten, and using the security flaw to obtain data of Bulgarian citizens.

In a caption posted with the Facebook video, Petkov said he tried to contact the software maker and local authorities but was ignored.

He posted the code on GitHub

The Facebook caption also included a link to a GitHub repository where anyone could download the code for exploiting the vulnerability.

Following Petkov’s public disclosure, Bulgarian authorities arrested the security researcher on Friday. He was jailed for 24 hours but was subsequentially set free.

Local prosecutors are still pending charges under Article 319A of the Bulgarian Criminal Code, on accusations of obtaining government information using illegal methods. If charged and found guilty, Petkov faces from one to three years in prison, and a fine of up to 5,000 Bulgarian leva ($2,900), according to local press [1, 2, 3, 4].

Same software used in other provinces

In the meantime, Stara Zagora officials have taken down the vulnerable software.

The mayor of the city of Stara Zagora told local media[1, 2, 3] that the software maker has not responded to requests for comments from government officials.

The Stara Zagora mayor said the company, named Information Services AD, will have to fix its software on its own expense.

Petkov said the same software is also used in other Bulgarian provinces, meaning hackers may have an open door to harvest Bulgarian citizens’ data.

The data collected via the vulnerability Petkov found includes information usually stored inside a central national database managed by the Department Civil Registration and Administrative Services (GRAO).

According to its website, the GRAO’s database “is like the Social Security Number (or similar) identification in other countries.”

“The system stores as personal data names, addresses, marital status, death, parentage, passport data, nationality and relatives – children, brothers and sisters of about 10.5 million citizens (counting 2 million dead people).”