Pierluigi Paganini June 30, 2019

Bulgarian police arrested the IT expert Petko Petrov after he publicly demonstrated a security vulnerability in the kindergarten software used by local kindergartens.

The IT expert Petko Petrov was arrested by the Bulgarian police because he publicly demonstrated the exploitation of a vulnerability in the software used by local kindergartens.

Petrov exploited the flaw to download the details of 235,543 citizens of Stara Zagora, a province in central Bulgaria with over 333,000 inhabitants, he also published a video PoC on Facebook.

Petkov decided to publicly disclose the vulnerability after he attempted, without success, to report it to the company that developed the software and local authorities.

In the above video, the IT specialist launches an attack against the web portal of the local municipality where parents can sign up children for kindergarten. Petkov exploited the issue to access data of Bulgarian citizens.

The Department Civil Registration and Administrative Services (GRAO) stores personal information of the citizens, including names, addresses, marital status, death, parentage, passport data, nationality and relatives – children, brothers and sisters of about 10.5 million citizens.”

The expert also shared a link to a GitHub repository containing the PoC code that would allow anyone to exploit the flaw.

The Bulgarian authorities arrested Petkov on Friday, he was detained for 24 hours before being set free.

“On June 26, Petkov published a video on social networks, showing that he managed to get into the system and take the data to about 235,000 people without much effort. The same day the municipality stopped access, and the mayor of the city Zhivko Todorov explained that this was done for the purpose of prevention. According to him, the system was developed by the state-owned company “Information Service”.” reads an article published by the Mediapool website.

“The municipality is the user of their software that has been punctured, and all the answers to be given are theirs and I expect this to happen as quickly as possible.” The problem is sufficiently public and if someone has managed to break through the system they have to answer why and how they will overcome the problem, otherwise it does not look serious , “Todorov said.

Immediately after the disclosure of the flaw, Stara Zagora officials have temporarily taken down the vulnerable software to avoid the exploitation of the vulnerability by hackers.

The man is accused to have illegally obtained government information under Article 319A of the Bulgarian Criminal Code, he could face from one to three years in prison, and a fine of up to 5,000 Bulgarian leva ($2,900).

The mayor of Stara Zagora also attempted to contact the Information Services AD that developed the software, by the company has not yet responded. Todorov explained that the company will have to address the flaw in its software on its own expense.

Petkov warned that the same software is also used in other Bulgarian provinces.

Pierluigi Paganini

(SecurityAffairs – kindergarten software, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]