{"id":14052,"date":"2026-07-03T10:03:35","date_gmt":"2026-07-03T10:03:35","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/03\/hacker-used-claude-ai-to-score-free-tickets-to-nearly-every-us-music-show\/"},"modified":"2026-07-03T10:03:35","modified_gmt":"2026-07-03T10:03:35","slug":"hacker-used-claude-ai-to-score-free-tickets-to-nearly-every-us-music-show","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/03\/hacker-used-claude-ai-to-score-free-tickets-to-nearly-every-us-music-show\/","title":{"rendered":"Hacker Used Claude AI to Score Free Tickets to Nearly Every US Music Show"},"content":{"rendered":"<p>    Hacker Used Claude AI to Score Free Tickets to Nearly Every US Music Show<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">A critical unauthenticated SQL injection vulnerability in Front Gate Tickets (FGT), a Live Nation\/Ticketmaster subsidiary that powers ticketing for major US festivals including EDC, Bonnaroo, and Outside Lands, allowed full administrative takeover of the platform with help from Anthropic\u2019s Claude AI model.<\/p>\n<p class=\"wp-block-paragraph\">The researcher Ian Carroll noticed that nearly every major US festival funneled ticketing through the same handful of aging FGT domains. While fuzzing the <code>fgtapi.frontgatetickets.com<\/code> API with the tool ffuf, they found that any endpoint path containing the word \u201cdevice\u201d triggered a distinct error requiring a <code>deviceUID<\/code> parameter, exposing unauthenticated middleware tied to on-site scanner and box-office hardware.<\/p>\n<p class=\"wp-block-paragraph\">Testing revealed that a <code>deviceUID<\/code> value of <code>12345<\/code> succeeded, but appending a single quote caused the request to hang, indicating the parameter was concatenated directly into a raw SQL query without sanitization.<\/p>\n<h2 id=\"h-bypassing-the-waf-with-claude\" class=\"wp-block-heading\"><strong>Bypassing the WAF With Claude<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">Although the endpoint sat behind an AWS Web Application Firewall, conventional tools like sqlmap failed to gain traction. The researcher then handed the problem to Claude Code running the Opus model, which discovered that the WAF only inspected the outer layer of input, meaning injection payloads nested inside a derived subquery slipped through undetected.<\/p>\n<p class=\"wp-block-paragraph\">Because the endpoint returned no direct query output, Claude engineered a boolean-based <a href=\"https:\/\/cybersecuritynews.com\/proftpds-sql-injection-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">blind SQL injection<\/a> using a MySQL quirk where a string like <code>'x'<\/code> added to a number coerces to zero.<\/p>\n<p class=\"wp-block-paragraph\">By crafting payloads such as <code>deviceUID = x'+(SELECT CASE WHEN &lt;COND&gt; THEN 1 ELSE 0 END)-- -<\/code>, the response toggled between two real device names (\u201cMC70-023\u201d for true, \u201cIntellitix Upload\u201d for false), creating a reliable oracle for extracting data one bit at a time.<\/p>\n<p class=\"wp-block-paragraph\">The underlying <code>fgs<\/code> database contained more than 500 tables, including staff credentials, customer records, and live authentication tokens.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>Table<\/th>\n<th>Sensitive fields exposed<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>FGS_USER<\/td>\n<td>Email, passcode, passcode2, permissions JSON<\/td>\n<\/tr>\n<tr>\n<td>PERSON<\/td>\n<td>Email, passcode, reset token<\/td>\n<\/tr>\n<tr>\n<td>RESET_TOKEN \/ API_TOKEN<\/td>\n<td>Live, redeemable session and OAuth tokens<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\">By reading a live entry from the RESET_TOKEN table after triggering a password reset, the researcher hijacked an administrator account without ever knowing its password, gaining full write access to every festival on the platform, including inventory, pricing, and checkout systems.<\/p>\n<p class=\"wp-block-paragraph\">With administrator access, an attacker could issue unlimited free \u201ccomp\u201d tickets to any festival, search customer order databases at will (a test search for \u201cchris\u201d returned thousands of records), and read or redeem password reset tokens to hijack staff and customer accounts platform-wide.<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/ian.sh\/frontgate\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">The researcher stopped short<\/a> of exfiltrating bulk data, stating the point was proven once EDC- and Bonnaroo-level administrative control was achieved from a single unauthenticated GET request.<\/p>\n<p class=\"wp-block-paragraph\">Notably, Front Gate Tickets and Live Nation had no publicly listed security contact, forcing the researcher to guess a valid disclosure email. The vendor reportedly fixed the flaw quickly and indicated a bug bounty program is forthcoming.<\/p>\n<p class=\"wp-block-paragraph\">This case underscores a growing trend of <a href=\"https:\/\/cybersecuritynews.com\/google-infrastructure-hacked-ai\/\" target=\"_blank\" rel=\"noreferrer noopener\">AI-assisted vulnerability research<\/a>, where large language models like Claude can autonomously reverse-engineer WAF logic and construct multi-stage blind injection exploits with minimal human guidance, a pattern also seen in Anthropic\u2019s own disclosure of AI-orchestrated attacks and independent tests showing AI agents exploiting SQL injection flaws without explicit hacking instructions.<\/p>\n<p class=\"wp-block-paragraph\">Legacy ticketing infrastructure handling both consumer sales and physical box-office operations remains an attractive target given the scale of personal and financial data involved.<\/p>\n<p class=\"has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 87%,rgb(169,184,195) 100%)\"><strong>\u00a0Strengthen Your SOC by Accelerating Threat Detection &amp; Rapid Investigations.\u00a0-&gt; <a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Integrate ANY.RUN With Your SOC <\/a><strong><a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Now<\/a><\/strong>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/claude-ai-score-free-tickets-music\/\">Hacker Used Claude AI to Score Free Tickets to Nearly Every US Music Show<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/claude-ai-score-free-tickets-music\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hacker Used Claude AI to Score Free Tickets to Nearly Every US Music Show A critical unauthenticated SQL injection vulnerability in Front Gate Tickets (FGT), a Live Nation\/Ticketmaster subsidiary that powers ticketing for major US festivals including EDC, Bonnaroo, and Outside Lands, allowed full administrative takeover of the platform with help from Anthropic\u2019s Claude AI [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,648],"tags":[130],"class_list":["post-14052","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14052"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14052"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14052\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14052"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14052"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14052"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}