Hacker Used Claude AI to Score Free Tickets to Nearly Every US Music Show

Hacker Used Claude AI to Score Free Tickets to Nearly Every US Music Show










A critical unauthenticated SQL injection vulnerability in Front Gate Tickets (FGT), a Live Nation/Ticketmaster subsidiary that powers ticketing for major US festivals including EDC, Bonnaroo, and Outside Lands, allowed full administrative takeover of the platform with help from Anthropic’s Claude AI model.

The researcher Ian Carroll noticed that nearly every major US festival funneled ticketing through the same handful of aging FGT domains. While fuzzing the fgtapi.frontgatetickets.com API with the tool ffuf, they found that any endpoint path containing the word “device” triggered a distinct error requiring a deviceUID parameter, exposing unauthenticated middleware tied to on-site scanner and box-office hardware.

Testing revealed that a deviceUID value of 12345 succeeded, but appending a single quote caused the request to hang, indicating the parameter was concatenated directly into a raw SQL query without sanitization.

Bypassing the WAF With Claude

Although the endpoint sat behind an AWS Web Application Firewall, conventional tools like sqlmap failed to gain traction. The researcher then handed the problem to Claude Code running the Opus model, which discovered that the WAF only inspected the outer layer of input, meaning injection payloads nested inside a derived subquery slipped through undetected.

Because the endpoint returned no direct query output, Claude engineered a boolean-based blind SQL injection using a MySQL quirk where a string like 'x' added to a number coerces to zero.

By crafting payloads such as deviceUID = x'+(SELECT CASE WHEN <COND> THEN 1 ELSE 0 END)-- -, the response toggled between two real device names (“MC70-023” for true, “Intellitix Upload” for false), creating a reliable oracle for extracting data one bit at a time.

The underlying fgs database contained more than 500 tables, including staff credentials, customer records, and live authentication tokens.

Table Sensitive fields exposed
FGS_USER Email, passcode, passcode2, permissions JSON
PERSON Email, passcode, reset token
RESET_TOKEN / API_TOKEN Live, redeemable session and OAuth tokens

By reading a live entry from the RESET_TOKEN table after triggering a password reset, the researcher hijacked an administrator account without ever knowing its password, gaining full write access to every festival on the platform, including inventory, pricing, and checkout systems.

With administrator access, an attacker could issue unlimited free “comp” tickets to any festival, search customer order databases at will (a test search for “chris” returned thousands of records), and read or redeem password reset tokens to hijack staff and customer accounts platform-wide.

The researcher stopped short of exfiltrating bulk data, stating the point was proven once EDC- and Bonnaroo-level administrative control was achieved from a single unauthenticated GET request.

Notably, Front Gate Tickets and Live Nation had no publicly listed security contact, forcing the researcher to guess a valid disclosure email. The vendor reportedly fixed the flaw quickly and indicated a bug bounty program is forthcoming.

This case underscores a growing trend of AI-assisted vulnerability research, where large language models like Claude can autonomously reverse-engineer WAF logic and construct multi-stage blind injection exploits with minimal human guidance, a pattern also seen in Anthropic’s own disclosure of AI-orchestrated attacks and independent tests showing AI agents exploiting SQL injection flaws without explicit hacking instructions.

Legacy ticketing infrastructure handling both consumer sales and physical box-office operations remains an attractive target given the scale of personal and financial data involved.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.

The post Hacker Used Claude AI to Score Free Tickets to Nearly Every US Music Show appeared first on Cyber Security News.






Guru Baran





Go to cyber-security-news





by