- Security researcher Ian Carroll used Claude Opus 4.7 to find a technique giving full super-administrator access to Front Gate Tickets.
- Front Gate — a Live Nation subsidiary, like Ticketmaster — handles ticketing for practically every major US music festival, including Lollapalooza, SXSW, and Austin City Limits.
- The flaw exposed millions of customer and staff records and let him issue free tickets of any value to any event.
- Carroll did not exploit it; he reported his findings to Front Gate.
What Happened
Security researcher Ian Carroll used Claude Opus 4.7 in April to discover a technique that gave him full access to the systems of Front Gate Tickets, Wired reports. Front Gate — a Live Nation Entertainment subsidiary, like Ticketmaster — handles ticketing for practically every major US music festival, from Lollapalooza and South by Southwest to Austin City Limits.
With Claude‘s help, Carroll found a bug he could exploit to reach millions of customer or staff records and freely issue tickets for any event, of any value.
Why It Matters
The case reframes AI-hacking risk away from science-fiction scenarios toward something far more plausible: AI-assisted discovery of real vulnerabilities in ordinary web systems. As models grow more capable at coding — Claude now writes about 4% of public GitHub commits — the same skill accelerates finding exploitable flaws, a dual-use concern behind calls to govern advanced AI capabilities.
Technical Details
Carroll used Claude Opus 4.7 to identify a website bug in Front Gate’s systems that granted super-administrator access. From there he could reach millions of records and issue tickets without limit. “It was pretty cool to see a ticket that’s $4,000, and I could just hit a button and issue as many as I wanted,” Carroll told Wired. “I could go to every single event with no limitations or restrictions … even if it’s sold out.”
Who’s Affected
Front Gate and parent Live Nation face a serious exposure of customer and staff data; festival-goers were the potential victims. The security-research community gains a concrete example of AI as a discovery accelerant. AI providers face renewed dual-use scrutiny, since the same agentic coding ability that assists developers also assists vulnerability hunting.
What’s Next
Carroll — who runs the startup Seats.aero and does independent security research — followed responsible disclosure, reporting the flaw rather than abusing it. The broader question is what happens as AI lowers the barrier to finding such bugs: whether defenders adopt the same tools fast enough, and whether every high-value web platform is now one capable model away from a similar finding.