Claude helped researcher break into Front Gate ticketing
TL;DR
- Security researcher Ian Carroll used Claude Opus 4.7 to find and exploit a bug in Front Gate Tickets, the Live Nation platform behind most US festivals.
- Claude generated a nested SQL query that bypassed the site's web application firewall, letting Carroll reach customer databases and reset an admin password.
- Front Gate resolved the flaw within 24 hours, and Carroll worked through Anthropic's Cyber Verification Program for approved offensive security research.
A security researcher walked into Front Gate Tickets, the Live Nation subsidiary that runs ticketing for Lollapalooza, Bonnaroo, South by Southwest, Austin City Limits and most other big US festivals, and walked out with super-admin access. The interesting part is who wrote the bypass. Ian Carroll, per reporting from WIRED, spotted what looked like an SQL injection on Front Gate's site. A modern web application firewall was in the way. So he asked Claude Opus 4.7 to write him a workaround, and the model produced a nested SQL query that slipped past the firewall.
From there the chain was short. Access to sample customer databases, then a super-admin account, then a password reset whose confirmation code Carroll pulled straight from the database. At that point he could, in his words, issue any ticket to any festival for any dollar value. "It was pretty cool to see a ticket that's $4,000, and I could just hit a button and issue as many as I wanted," he told the magazine.
Front Gate told WIRED it resolved the issue within 24 hours of receiving Carroll's report, has seen no evidence the vulnerability was exploited, and says no fraudulent tickets were issued and no customer information was compromised. Carroll himself is part of Anthropic's Cyber Verification Program, which gives approved security researchers sanctioned access to use Claude for adversarial work.
The sanctioned-researcher framing is doing a lot of work here, and the actual technical claim underneath it is what matters. A frontier model can now generate the specific payload needed to bypass a live WAF and chain it into a full admin takeover. WAF vendors have spent years training filters against known injection patterns. A model that will write novel nested-query variants on demand is a different threat model than one static bypass showing up on a GitHub gist.
The honest caveat is that the reporting does not tell you how much of the chain was Claude and how much was Carroll's own reconnaissance, what the prompt looked like, or whether Anthropic's safety training tried to refuse before producing the payload. The forward-looking piece worth watching is whether firewall vendors and bounty platforms adjust to LLM-generated payloads as first-class threats, and whether Anthropic's Cyber Verification Program becomes a model other frontier labs copy.
Shared on Bluesky by 2 AI experts
-
A security researcher using Claude Opus 4.7 found the AI tool could independently code an exploit to hack into Front Gate Tickets, the ticketing platform for almost every major US music festival from Lollapalooza to Bonn…
View on Bluesky →
Originally reported by wired.com
Read the original article →Original headline: Claude Helped a Hacker Find a Way to Issue Tickets to Almost Every US Music Festival | WIRED