AIToday

AI helped researcher hack ticketing system for major US music festivals

WIRED AI3h ago6 min read
AI helped researcher hack ticketing system for major US music festivals

Key takeaway

A security researcher using Anthropic's Claude AI discovered a critical vulnerability in Front Gate Tickets, the vendor handling ticketing for nearly every major US music festival. The researcher was able to gain administrator access and issue free tickets for any event through a SQL injection flaw that Claude helped bypass. Front Gate patched the issue within 24 hours after being notified, and the incident demonstrates both the power of AI in finding security bugs and the risks posed when a single vendor controls ticketing for an entire category of high-value events.

Summaries like this, in your inbox every morning.

Sign up free →

3 Key Points

  • What happened

    Security researcher Ian Carroll used Claude Opus 4.7 in April to discover a vulnerability in Front Gate Tickets, which handles ticketing for nearly every major US music festival including Lollapalooza and South by Southwest. Carroll found he could exploit a SQL injection flaw to gain super-administrator access, allowing him to issue free tickets of any value to himself or others. Front Gate patched the vulnerability within 24 hours after Carroll reported it.

  • Why it matters

    The incident reveals how AI tools can help identify security flaws across the internet at scale. Carroll noted he was surprised Claude came up with key elements of the exploit technique, and he believes there was a very good chance the AI could have found the exploit end-to-end without human involvement. For a company handling ticketing for practically every major US music festival, this concentration of control in a single vendor makes the stakes of such vulnerabilities particularly high.

  • What to watch

    Carroll is part of Anthropic's Cyber Verification Program, which allows approved security researchers to use its AI tools for hacking research; the company stated that if Carroll had not been part of the program, his use of Claude to hack the system would have been detected and blocked. Front Gate confirmed there is no evidence of actual exploitation or compromise of customer information.

FAQ

What was the actual vulnerability Carroll found?
Carroll found a SQL injection vulnerability—a common flaw where attackers input commands into a text field that run on the site's backend. Front Gate had a web application firewall blocking the exploit, but Claude discovered that a nested SQL query (a SQL query inside another SQL query) could evade the firewall's detection.
Did Carroll actually issue any fraudulent tickets?
No. Carroll found he could add high-value Bonnaroo tickets like a $4,000 Platinum pass to his cart after taking over a staff administrator's account, but he did not complete any orders or issue tickets for fear of crossing a legal line and being charged with fraud.
What customer data would have been exposed?
Carroll found he could access a table of 500 databases containing customer information including names, emails, and mailing addresses, but not credit card details. He also gained access to staff data.

Discussion

No comments yet. Be the first to share your thoughts!

Log in to join the discussion

Related Articles

Stay ahead with AI news

Get curated AI news from 200+ sources delivered daily to your inbox. Free to use.

Get Started Free

Free · takes 30 seconds · unsubscribe anytime

1 minute a day. The AI essentials.

200+ sources · Email / LINE / Slack

Get it free →