Claude Helped a Hacker Find a Way to Issue Tickets to Almost Every US Music Festival

8 hours ago 1

As a information researcher who specializes successful uncovering web vulnerabilities, helium decided to poke astir Front Gate’s web domain for bugs. He rapidly recovered what looked similar a SQL injection vulnerability—a communal flaw that allows a hacker to input commands into a substance tract connected a website, causing them to tally connected the site’s backend and sometimes nonstop backmost information stored determination successful a database. But a web exertion firewall connected the tract appeared to beryllium blocking him from exploiting it.

So helium asked Claude Opus 4.7, the astir precocious AI exemplary Anthropic made disposable to the wide nationalist astatine the time, to find a mode to exploit the flaw. It instantly coded a hacking method that bypassed the firewall. “It was the archetypal time, really, that I had a vulnerability that I didn't afloat understand,” says Carroll. “I had to spell backmost and work what Claude had written to recognize the bypass, due to the fact that I didn't constitute it. Claude did it wholly by itself.”

Claude had, successful fact, recovered that a “nested SQL query”—a SQL query wrong of different SQL query—could evade the firewall’s detection. Soon the AI instrumentality had written a publication that displayed samples from a array of 500 databases of exposed lawsuit information. In total, Carroll believes that the vulnerability helium and Claude recovered would person provided entree to the accusation of millions of customers, including names, emails, and mailing addresses—but not recognition paper details—as good arsenic that of Front Gate’s staff.

With entree to unit data, Carroll rapidly recovered that helium could besides instrumentality implicit unit accounts. He searched for a ace administrator’s account, clicked the enactment to reset its password, and was capable to find the reset codification that the tract had sent to the administrator’s email stored successful the site’s backend. He past utilized it to corroborate the reset, mounting a caller password and taking implicit the administrator’s account.

Soon helium was looking astatine the astir costly tickets helium could find for Bonnaroo and adding them arsenic comp tickets to a benignant of buying cart. “It seems similar you could bash that for each azygous lawsuit that you wanted to,” Carroll says. (He didn’t really implicit an bid and contented immoderate tickets for fearfulness of crossing a enactment and being charged with fraud.)

Carroll was amazed to spot conscionable however casual his takeover method was: No two-factor authentication prevented a leaked, stolen, oregon guessed password from giving idiosyncratic afloat access. “There's conscionable this 1 centralized institution issuing each tickets for each azygous festival,” Carroll says. “And adjacent without this vulnerability, if you knew someone's password, you could conscionable log successful without immoderate verification and contented escaped tickets.”

Perhaps astir remarkable, Carroll says, is that Front Gate didn’t look to person decently audited its ain tract for elemental vulnerabilities, either with quality hunters oregon the AI ones that look to present marque the bug-finding process scarily easy.

“It conscionable feels concerning erstwhile you deliberation these precise nonrecreational euphony festivals with nonrecreational websites are well-run,” says Carroll. “Then you get access, and you recognize it's each held unneurotic by duct portion and prayers.”

Read Entire Article