Recently, the Bulgarian police detained an information security specialist Petko Petrov, who published a video about the vulnerability in the IT system of the municipality used in local kindergartens.
Bulgarian security researcher Petko Petkov discovered a vulnerability in the software used in local kindergartens. Petkov made a video demonstrating the vulnerability and posted it on Facebook about a week ago, on June 25. The video shows an automated attack on the portal of the local municipality, through which parents apply for admission of their child to kindergarten. The security expert was able to download the data of almost 236 thousand inhabitants of the Bulgarian city of Stara Zagora where more than 330 thousand people live using such vulnerability.
The specialist wrote a comment to the video that he tried to contact the software developer Information Services AD and the municipal authorities, but his reports about the vulnerability were ignored. Therefore, Petkov published a video to draw attention to the problem. Also, the man posted in the same comment a link to GitHub with PoC-code, opening access to it to everyone.
Even worse, the research explains that the same system is used in other Bulgarian cities, which means that hackers can freely obtain personal data of residents, including passport, information about their marital status, nationality, their relatives, etc.
Shortly after the public disclosure of information about the vulnerability, Bulgarian law enforcement officers arrested Petkov. He was arrested for 24 hours, but the researcher was later released.
According to the Bulgarian Media, the Prosecutor’s office intends to charge the man under the article “illegal access to computer information protected by law”. Petkov faces from one to three years in prison and a fine of about $ 2,900.
Although the man is now in trouble with the law, he achieved his goal – the problem was noticed, and after the incident the municipality refused to use vulnerable software, as they also failed to contact its developers and get official comments. The Mayor of Stara Zagora Zhivko Todorov told the media that the developer will eliminate the vulnerability at their own expense.