Bulgarian IT Expert Arrested For Revealing Vulnerability in Software
This vulnerability allows Petko Petrov to download details of 235,543 people in Stara Zagora, a province in central Bulgaria with more than 333,000 inhabitants.
Petkov demonstrated the software flaw in a video that he posted on Facebook earlier this week, on June 25.
The video shows that Petkov launches an automatic attack on the website of the local municipality, allowing parents to register their children in kindergarten and use security loopholes to obtain data from Bulgarian citizens.
In the Facebook video, Petkov said he had tried to contact software manufacturers and local authorities but had been ignored. The Facebook caption also includes a link to the GitHub repository where anyone can download the code to exploit the vulnerabilities.
After Petkov’s public revelation, Bulgarian authorities arrested the security researcher on Friday. He was imprisoned for 24 hours, but was later released.
As reported in ZedNet, the local prosecutor is still awaiting charges under Article 319A of the Bulgarian Penal Code, which seek to obtain information from the government by illegal methods. If found guilty and convicted, Petkov faces a prison term of one to three years and a fine of up to 5,000 Bulgarian leva ($ 2,900), according to local media.
Meanwhile, Stara Zagora has removed the vulnerable software. City Mayor of Stara Zagora told local media [1, 2, 3] that the software company has not responded to the requests for comments from government officials. The Stara Zagora mayor said the company, named Information Services AD, will have to fix its software on its own expense.
Petkov said that the same software was also used in other Bulgarian provinces, which means that hackers could have open doors to collect data from Bulgarian citizens.
The data collected through the vulnerabilities identified by Petkov include information generally stored in a central national database maintained by the Department of Civil Status and Administrative Services (GRAO).
According to the website, the GRAO database “is tantamount to identifying a social security number (or similar) in another country. The system stores as personal data names, addresses, marital status, death, parenting, passport data, nationality, and relatives – children, brothers, and sisters of about 10.5 million citizens (counting 2 million dead people).”