Photo Credit: Clint Patterson

A white-hat hacker and security researcher discovered an AI exploit using chatbot Claude to gain full access to the systems that handle ticketing for nearly every major US festival.

In April, security researcher and “white-hat” hacker Ian Carroll used the AI tool Claude Opus 4.7 to discover an exploit that allowed him full access to the systems of Front Gate Tickets, which handles ticketing for nearly every major U.S. music festival, including Lollapalooza, South by Southwest, and Austin City Limits.

According to Carroll, Front Gate—a subsidiary of Live Nation—had a bug on its website that, with Claude’s help, allowed him to gain access to millions of customer and staff records to freely issue tickets for any event, at any value, to anyone he chose.

“It was pretty cool to see a ticket that’s $4,000, and I could just hit a button and issue as many as I wanted,” Carroll told Wired. “I could go to every single event with no limitations or restrictions; I could get the backstage pass or whatever they sell to the super VIPs—even if it’s sold out.”

Carroll, who performs independent research but also runs the flight search engine startup Seats.aero, did not take advantage of his newfound ticket-issuing power. Instead, he reported his findings to Front Gate, which told Wired that it had since patched the vulnerability. The company said it appreciated Carroll for reporting the flaw, describing the incident as a successful collaboration that led to improvements to its website’s security.

But even with the issue fixed, the incident shines a spotlight on how broadly AI may be able to help identify similar hacks across the internet. It also demonstrates that hackers who are not performing security research or other bad actors could manipulate such tools.

Carroll is part of Anthropic’s Cyber Verification Program, which allows approved security researchers to use its tools to perform hacking functions to identify exactly these sorts of holes in its system. But Carroll expressed how taken aback he was by the ease with which Claude came up with “key elements” of his technique for accessing the Front Gate site.

“I think there’s a very good chance it could have found this exploit end-to-end without me doing anything at all,” he said.

He also points out that Front Gate, which argued in a statement to Wired that the company’s security safeguards limited the exposure of personal information, doesn’t claim to have evidence that the vulnerability was not previously exploited. Carroll said he was able to gain “super-administrator” access to the company’s platform without any discernible response from the company. It seems that Front Gate wants to keep the matter on the down-low.

Carol said he first became aware of Front Gate only a couple of months ago, when he was considering attending Electric Daisy Carnival (EDC) in Las Vegas. When he saw that the festival’s ticketing was run by Front Gate, he was curious what other festivals utilized the company and realized that nearly every major U.S. music festival (aside from Coachella) made use of Front Gate.

“This is like Ticketmaster but for music festivals,” he said. “They have the monopoly, essentially.”

“There’s just this one centralized company issuing all tickets for every single festival,” he added. “And even without this vulnerability, if you knew someone’s password, you could just log in without any verification and issue free tickets.”

“It just feels concerning when you think these very professional music festivals with professional websites are well-run,” Carroll concluded. “Then you get access, and you realize it’s all held together by duct tape and prayers.”