As a safety researcher who makes a speciality of discovering internet vulnerabilities, he determined to poke round Entrance Gate’s internet area for bugs. He shortly discovered what seemed like a SQL injection vulnerability—a standard flaw that enables a hacker to enter instructions right into a textual content discipline on an internet site, inflicting them to run on the positioning’s backend and generally ship again information saved there in a database. However an internet software firewall on the positioning gave the impression to be blocking him from exploiting it.
So he requested Claude Opus 4.7, essentially the most superior AI mannequin Anthropic made obtainable to most people on the time, to discover a solution to exploit the flaw. It instantly coded a hacking method that bypassed the firewall. “It was the primary time, actually, that I had a vulnerability that I did not absolutely perceive,” says Carroll. “I had to return and browse what Claude had written to grasp the bypass, as a result of I did not write it. Claude did it fully by itself.”
Claude had, actually, discovered {that a} “nested SQL question”—a SQL question within one other SQL question—may evade the firewall’s detection. Quickly the AI instrument had written a script that displayed samples from a desk of 500 databases of uncovered buyer data. In complete, Carroll believes that the vulnerability he and Claude discovered would have offered entry to the data of thousands and thousands of consumers, together with names, emails, and mailing addresses—however not bank card particulars—in addition to that of Entrance Gate’s workers.
With entry to workers information, Carroll shortly discovered that he may additionally take over workers accounts. He looked for an excellent administrator’s account, clicked the choice to reset its password, and was capable of finding the reset code that the positioning had despatched to the administrator’s electronic mail saved within the web site’s backend. He then used it to verify the reset, setting a brand new password and taking up the administrator’s account.
Quickly he was the costliest tickets he may discover for Bonnaroo and including them as comp tickets to a type of procuring cart. “It looks like you might try this for each single occasion that you just wished to,” Carroll says. (He didn’t truly full an order and challenge any tickets for worry of crossing a line and being charged with fraud.)
Carroll was shocked to see simply how simple his takeover technique was: No two-factor authentication prevented a leaked, stolen, or guessed password from giving somebody full entry. “There’s simply this one centralized firm issuing all tickets for each single competition,” Carroll says. “And even with out this vulnerability, in the event you knew somebody’s password, you might simply log in with none verification and challenge free tickets.”
Maybe most exceptional, Carroll says, is that Entrance Gate didn’t seem to have correctly audited its personal web site for easy vulnerabilities, both with human hunters or the AI ones that appear to now make the bug-finding course of scarily simple.
“It simply feels regarding while you assume these very skilled music festivals with skilled web sites are well-run,” says Carroll. “Then you definitely get entry, and also you understand it is all held collectively by duct tape and prayers.”
