Claude helped a hacker get free VIP tickets to the most popular US festivals
Claude helped a hacker break into the ticketing system used by major US music festivals, giving him free access to tickets worth up to $4,000.
Claude helped a hacker break into the ticketing system used by major US music festivals, giving him free access to tickets worth up to $4,000.
Claude helped a hacker break into the ticketing system used by major US music festivals, giving him free access to tickets worth up to $4,000.
Security researcher and white-hat hacker Ian Carroll said that Claude's artificial intelligence helped him discover and exploit a vulnerability in the system. This bug allowed him to download unlimited tickets to major US music festivals, including Lollapalooza, Bonnaroo, Austin City Limits, Electric Daisy Carnival, and South by Southwest, for free, Cybernews reports .
“It was pretty cool to see a $4,000 ticket and realize that I could just push a button and release as many of them as I wanted. I could go to absolutely any event without any limits or restrictions; I could get a backstage pass or anything else they sell for super VIPs, even if all the tickets were already sold out,” Carroll said.
According to Carroll, the vulnerability was caused by a flaw in the Front Gate platform's device API that allowed unauthenticated SQL injection.
SQL injection is a common web vulnerability that allows attackers to manipulate database queries if an application does not properly sanitize user input. In this case, a parameter called deviceUID was reportedly inserted directly into database queries.
Carroll's initial attempts to exploit the vulnerability were blocked by the site's web application firewall. Instead of giving up, he turned to Claude 4.7 Opus, Anthropic's latest AI model, and asked the AI to find another way.
According to Carroll, Claude discovered that the firewall only checked the outer layer of the SQL queries sent. By wrapping the malicious query in a nested subquery, the AI created an exploit that successfully bypassed the protection system.
Once the protection was bypassed, Carroll gained access to a database containing over 500 tables. Among the exposed data were employee logins and active password reset tokens.
Using these tokens, the hacker was able to gain administrator privileges on the platform. With this level of access, he was able to create tickets for any event hosted through Front Gate, including premium VIP packages worth thousands of dollars.
Carroll said he found a platinum ticket to Bonnaroo worth about $4,000 that could be copied in unlimited quantities. However, the researcher stressed that he did not actually create or use any tickets to enter the events.
"I stopped there and did not review any records other than those necessary to confirm the problem. The point was proven: one unauthorized request to the scanner API was enough to become an administrator of EDC, Bonnaroo and any other festival on this platform," the "white" hacker noted.

According to the researcher, with only access to the device's public address, attackers could issue tickets to any Front Gate Tickets event for free, obtain customer data, internal passwords, and also steal employee accounts using password reset tokens.
The hacker reported the issue to Front Gate on April 25, and the vulnerability was fixed the next day. The platform said there was no evidence of actual cyberattacks or the issuance of fake tickets.
Front Gate also downplayed the threat, noting that any illegally created tickets would leave a trace during an audit and would be voided before the event even began.



