Bulgarian authorities have arrested an IT specialist for demonstrating a security flaw in the software used by local kindergartens.
The vulnerability allowed the IT expert, named Petko Petrov, to download the details of 235,543 citizens of Stara Zagora, a province in central Bulgaria with over 333,000 inhabitants.
Petkov demoed the security flaw in a video he posted on Facebook[1] earlier this week, on June 25.
The video shows Petkov launch an automated attack against the local municipality's web portal where parents can sign up children for kindergarten, and using the security flaw to obtain data of Bulgarian citizens.
In a caption posted with the Facebook video, Petkov said he tried to contact the software maker and local authorities but was ignored.
He posted the code on GitHub
The Facebook caption also included a link to a GitHub repository[2] where anyone could download the code for exploiting the vulnerability.
Following Petkov's public disclosure, Bulgarian authorities arrested the security researcher on Friday. He was jailed for 24 hours but was subsequentially set free.
Local prosecutors are still pending charges under Article 319A of the Bulgarian Criminal Code, on accusations of obtaining government information using illegal methods. If charged and found guilty, Petkov faces from one to three years in prison, and a fine of up to 5,000 Bulgarian leva ($2,900), according to local press [1, 2, 3, 4].
Same software used in other provinces
In the meantime, Stara Zagora officials have taken down the vulnerable software.
The mayor of the city of Stara Zagora told local media[1, 2, 3] that the software maker has not responded to requests for comments from government