A significant and unverified SQL injection vulnerability has been identified in Front Gate Tickets (FGT), a subsidiary of Live Nation/Ticketmaster, which facilitates the ticketing framework for prominent U.S. festivals such as EDC, Bonnaroo, and Outside Lands.
This flaw enables complete administrative control of the platform, aided by Anthropic’s Claude AI model.
Researcher Ian Carroll observed that a multitude of major U.S. festivals utilized a limited number of antiquated FGT domains for their ticketing needs.
During a fuzzing process on the fgtapi.frontgatetickets.com API using the ffuf tool, it was revealed that any endpoint path including the term “device” generated a unique error that necessitated a deviceUID parameter, unveiling unauthenticated middleware associated with on-site scanners and box-office technology.
Further examination demonstrated that a deviceUID value of 12345 was successful; however, appending a single quote caused the request to stall, indicating the parameter was concatenated directly into an unfiltered SQL query.
Bypassing the WAF with Claude
Despite the endpoint’s placement behind an AWS Web Application Firewall, traditional tools such as sqlmap struggled to exploit the vulnerability.
Subsequently, the researcher utilized Claude Code with the Opus model, which uncovered that the WAF merely scrutinized the outermost layer of input. As a result, injection payloads nested within a derived subquery eluded detection.
As the endpoint did not yield direct query output, Claude devised a boolean-based blind SQL injection exploiting a MySQL anomaly wherein a string like 'x' Adding to a number coerces it to zero.
Payloads such as deviceUID = x'+(SELECT CASE WHEN THEN 1 ELSE 0 END)-- - were meticulously crafted, enabling the response to oscillate between two genuine device identifiers (“MC70-023” representing true and “Intellitix Upload” for false), thus forming a reliable oracle for incrementally extracting data.
The underlying fgs database comprised over 500 tables, encompassing sensitive information such as staff credentials, customer records, and live authentication tokens.
| Table | Sensitive Fields Exposed |
|---|---|
| FGS_USER | Email, passcode, passcode2, permissions JSON |
| PERSON | Email, passcode, reset token |
| RESET_TOKEN / API_TOKEN | Active, redeemable session and OAuth tokens |
By analyzing a live entry from the RESET_TOKEN table post-password reset activation, the researcher commandeered an administrator account without knowledge of its password, thereby acquiring comprehensive write access to every festival on the platform, affecting inventory, pricing, and checkout systems.
With such elevated access, an attacker could issue limitless complimentary “comp” tickets for any festival, peruse customer order databases at will (with a search for “chris” yielding thousands of records), and read or redeem password reset tokens to compromise staff and customer accounts throughout the platform.
The researcher refrained from exfiltrating bulk data, asserting that the demonstration was complete once control akin to that at EDC and Bonnaroo was obtained from a singular unauthorized GET request.
Remarkably, Front Gate Tickets and Live Nation lacked a publicly available security contact, necessitating the researcher to conjecture a valid disclosure email.
The vendor reportedly addressed the vulnerability swiftly and indicated that a bug bounty program would be launched imminently.
This incident highlights a burgeoning trend in AI-supported vulnerability research, wherein advanced language models like Claude can autonomously reverse-engineer WAF logic and formulate multi-stage blind injection exploits with minimal human intervention.

This phenomenon mirrors Anthropic’s own disclosures of AI-driven attacks and independent evaluations demonstrating AI agents successfully exploiting SQL injection vulnerabilities without explicit hacking directives.
The legacy ticketing infrastructure, which handles both consumer transactions and physical box office operations, remains an alluring target due to the vast array of personal and financial data involved.
Source link: Cybersecuritynews.com.





