Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124

As a security researcher who specializes in finding web vulnerabilities, he decided to search Front Gate’s web domain for bugs. He soon discovered what looked like a SQL injection vulnerability, a common flaw that allows a hacker to enter commands into a text field on a website, causing them to run on the site’s backend and sometimes sending data stored there in a database. But the site’s web application firewall appears to be preventing it from being exploited.
So Cloud asked Opus 4.7, the most advanced AI model made available to the general public at the time, to find a way to exploit the flaw. He immediately encrypted the hacking technique that bypassed the firewall. “This was the first time I encountered a vulnerability that I didn’t fully understand,” Carroll says. “I had to go back and read what Claude wrote to understand the detour, because I didn’t write it. Claude did it entirely himself.”
In fact, Claude discovered that a “nested SQL query”—an SQL query inside another SQL query—can evade firewall detection. The AI tool quickly wrote a script that sampled a table of 500 databases of exposed customer information. In all, Carroll believes the vulnerability he and Claude discovered would have provided access to the information of millions of customers, including names, email addresses and postal addresses – but not credit card details – as well as Front Gate employee information.
By accessing employee data, Carroll quickly discovered that he could also take over employee accounts. He searched for a premium admin account, clicked on the option to reset his password, and was able to find a reset code that the site sent to the admin email stored in the site’s backend. Then use it to confirm the reset, set a new password, and take over the administrator account.
Soon he was looking through the most expensive Bonnaroo tickets he could find, adding them as corporate tickets to his shopping cart. “It seems like you can do this for every event you want,” Carroll says. (He did not actually complete the order nor issue any tickets for fear of jumping the line and being accused of fraud.)
Carroll was surprised to see how easy his takeover method was: two-factor authentication did not prevent a leaked, stolen, or guessed password from granting someone full access. “There is only one central company that issues all the tickets for each individual festival,” Carroll says. “Even without this vulnerability, if you know someone’s password, you can log in without any verification and be issued free tickets.”
Perhaps most striking, Carroll says, is that FrontGate did not appear to properly review its own site for simple vulnerabilities, either with human hunters or artificial intelligence that now appears to make bug-spotting frighteningly easy.
“It’s worrying when you think that these professional music festivals with professional websites are well run,” Carroll says. “Then you get there, and you realize it’s all held together by duct tape and prayer.”