Claude Opus 4.7 helped find a Front Gate Tickets exploit
Ian Carroll used Claude Opus 4.7 in April to locate a flaw that let him gain admin access to Front Gate and add comp tickets for major US.
TL;DR
- 01Ian Carroll used Claude Opus 4.7 in April to locate a flaw that let him gain admin access to Front Gate and add comp tickets for major US.
- 02Claude Opus 4.7 produced the bypass and exploit code that enabled Carroll to evade Front Gate’s web application firewall and extract data.
- 03Carroll first found what looked like a SQL injection but a firewall blocked direct exploitation.
Ian Carroll used Claude Opus 4.7 in April to discover a technique that gave him super-administrator access to Front Gate Tickets, the company that handles ticketing for most major US music festivals, and allowed him to add unlimited comp tickets for events such as Bonnaroo.
What happened?
Ian Carroll, a security researcher who runs Seats.aero, found a website bug that—combined with guidance from Claude Opus 4.7—let him access internal Front Gate systems, view customer and staff records, and add high-value tickets to a comp cart. Front Gate says it patched the flaw and that "This was resolved within 24 hours, and we can confirm there is no evidence of exploitation, ticket impact, or compromise of customer information." Carroll says he did not finalize any orders and instead reported the issue.
How did Claude help find and exploit the flaw?
Claude Opus 4.7 produced the bypass and exploit code that enabled Carroll to evade Front Gate’s web application firewall and extract data. Carroll first found what looked like a SQL injection but a firewall blocked direct exploitation. He asked Claude to find a way through; the model wrote a technique using a nested SQL query to evade detection, then generated a script that displayed samples from a table of 500 databases. That access produced names, emails, and mailing addresses for what Carroll says would amount to "millions of customers," though not credit card details. With staff data exposed, Carroll located a super-administrator account, retrieved a password reset code from the backend, confirmed the reset, and took over the account. He was then able to add expensive tickets, including a 4-day platinum Bonnaroo ticket, to a comp-like shopping cart without completing an order.
Anthropic says it created its Cyber Verification Program to let approved security researchers use Claude for offensive-style testing in defensive contexts and that the program would have blocked such activity for users outside it. Front Gate told Carroll and subsequently said that the incident involved access to an internal API used by entry scanners, not a consumer-facing login, and that many high-value VIP tickets require RFID wristbands that cannot be generated through the online system.
Why it matters
The episode shows how capable current large models can be at producing exploitation code that bypasses common defenses. Carroll says Claude "did it completely by itself" when writing the firewall bypass and exploit code, and he believes the model could have found the exploit end-to-end without his intervention. That lowers the bar for attackers who can combine a known website flaw with an AI-generated bypass and then pivot to high-impact actions, such as creating tickets across a centralized festival-ticketing platform that serves many events. The incident also highlights weak operational hygiene: Carroll found no two-factor authentication preventing account takeover and says Front Gate appears not to have fully audited for obvious vulnerabilities.
What to watch
Whether Front Gate provides public details from any post-incident audit and whether it finds evidence of prior exploitation will matter. Also watch whether festival operators move more high-value ticket controls to out-of-band systems (Front Gate noted RFID wristbands for VIPs) and whether ticketing companies adopt mandatory multi-factor protections and proactive AI-driven red-team checks.
Update: Front Gate provided additional information after the initial disclosure clarifying RFID wristband handling and confirming the patch; this article incorporates that update dated 7/1/2026.
Written by The Brieftide · Source: Wired
The Brieftide Daily · 06:00
Briefs like this one, in your inbox every morning.