Claude helped hacker generate free tickets to major music festivals
A security researcher used Claude Opus 4.7 to uncover a vulnerability in a platform serving much of the US festival industry
A security researcher has uncovered a critical vulnerability with the help of Anthropic's AI model Claude Opus 4.7 that could have allowed hackers to generate free tickets for some of the biggest music festivals in the United States.
According to a report by Wired, independent security researcher Ian Carroll discovered the vulnerability in April while investigating Front Gate's infrastructure. The platform powers ticketing for major festivals including Lollapalooza, Bonnaroo, South by Southwest and Austin City Limits, making the potential impact particularly significant. Carroll said Claude Opus 4.7 helped identify a method for bypassing the site's web application firewall, ultimately enabling administrator-level access to the system.
Carroll said his investigation began while considering attending Electric Daisy Carnival (EDC) Las Vegas, one of the world's largest electronic music festivals. After noticing that EDC's ticketing was managed by Front Gate, he discovered the same platform was also used by nearly every major US music festival outside of Coachella. "This is like Ticketmaster but for music festivals," Carroll recalled thinking. "They have the monopoly, essentially."
After identifying the vulnerability with Claude's assistance, Carroll said he was able to escalate his access even further by taking control of staff accounts. Using administrator information exposed through the exploit, he reset the password of a super-administrator account and gained full administrative privileges without encountering two-factor authentication. The access allowed him to browse premium festival tickets and demonstrated that complimentary tickets for virtually any event on the platform could have been generated at will.
"It was pretty cool to see a ticket that's $4,000, and I could just hit a button and issue as many as I wanted," Carroll told Wired. "I could go to every single event with no limitations or restrictions: I could get the backstage pass or whatever they sell to the super VIPs—even if it's sold out."
Despite demonstrating the exploit, Carroll said he did not generate any tickets or misuse the access, instead reporting the vulnerability directly to Front Gate through responsible disclosure. In a statement shared with Wired, the company said the issue "was resolved within 24 hours" and added that there was "no evidence of exploitation, ticket impact, or compromise of customer information." Front Gate also credited Carroll for responsibly reporting the flaw.
The incident has reignited discussion around the growing role of AI in cybersecurity, with Carroll suggesting the model required remarkably little guidance. "I think there's a very good chance it could have found this exploit end-to-end without me doing anything at all," he said. Anthropic, meanwhile, noted that Carroll's research was conducted under its Cyber Verification Program, which allows approved security researchers to use its AI models for defensive security testing.
[Via Wired]
