Affiliate links on Android Authority may earn us a commission. Learn more.
Claude helped uncover a ticketing flaw able to unlock free VIP festival passes
3 hours ago

- Anthropic’s Claude helped uncover a critical security flaw that could have had real-world consequences.
- The vulnerability affected Front Gate Tickets, which powers ticket sales for events like Bonnaroo and Lollapalooza.
- An attacker could have gained super-admin access, issued free or VIP tickets, and potentially accessed millions of customer records.
Artificial intelligence is becoming better at writing codes, answering questions, and helping developers build apps. Now it’s proving it can uncover security bugs that humans might miss — and a recently disclosed case shows just how serious that can be.
Security researcher Ian Carroll says he used Anthropic’s Claude Opus 4.7 to help him find a critical vulnerability in Front Gate Tickets, the ticketing platform used by many of the biggest music festivals in the US (via Wired). Had the flaw fallen into the wrong hands, it could have allowed someone to generate tickets for major events, including expensive VIP packages, while also exposing sensitive internal systems.
Front Gate isn’t a household name like Ticketmaster, but it powers ticket sales for a long list of festivals, including Bonnaroo, Lollapalooza, Austin City Limits, and SXSW.
Carroll said the investigation began when he realized how many big festivals used the same ticketing platform. While checking the site’s security, he found what looked like an SQL injection vulnerability. Modern web application firewalls are generally designed to prevent these attacks from reaching a database, but this one had a blind spot.
That’s when Claude came into play. Carroll says he asked Anthropic’s AI model to help analyze the vulnerability. Claude cooked up a work-around that used nested SQL queries to get past the site’s firewall defenses. Once the firewall was bypassed, the researcher accessed sample customer databases and eventually found a way to reset an administrator’s password. That eventually provided him with super-admin access to Front Gate’s platform.
From there, he learned that he could add free tickets for just about any supported event, including premium packages worth thousands of dollars. Carroll says he deliberately stopped short of actually issuing tickets, choosing instead to responsibly disclose the vulnerability before anyone could abuse it.
The exposure might go beyond just free access to the festival. Carroll believes the vulnerability may have also exposed millions of customer records containing names, email addresses, mailing addresses, and internal employee information, but he says payment card data was not accessible through the flaw. The administrator accounts were also not secured with two-factor authentication, which would have made it harder to take over accounts if their credentials leaked, he said.
Front Gate told Wired it resolved the issue within 24 hours of receiving Carroll’s report. The company says it has not seen evidence the vulnerability was exploited, no fraudulent tickets were issued, and no customer information was compromised. It also described the incident as an example of responsible security research that ultimately made its systems more secure.
But Carroll is skeptical of some of those reassurances. He says he obtained administrator-level access via what he views as a public-facing login path and argues that there’s no conclusive proof the flaw had never been abused before he found it. He also disputes the claim that fraudulent tickets would have been found and deleted before use.
Anthropic says Carroll was given permission to utilize Claude’s advanced offensive security capabilities through its Cyber Verification Program, which provides vetted researchers with access to AI tools for defensive cybersecurity tasks. The company says these capabilities are meant to help security professionals find and report vulnerabilities before criminals can exploit them and claims that similar activity outside of the program would trigger safeguards.
Thank you for being part of our community. Read our Comment Policy before posting.