Claude Helped Hacker Find A Way To Give Out Tickets To Almost Every Music Festival In The US


As a security researcher who specializes in finding vulnerabilities in the Internet, he decided to look at Front Gate’s website for bugs. They quickly discovered what appeared to be an SQL injection vulnerability—a common flaw that allows an attacker to insert commands into a website’s text, causing them to run back to the site and sometimes send data stored there. But the web application firewall on the site appeared to prevent him from using it.

So he asked Claude Opus 4.7, the most advanced version of AI Anthropic released to the public at the time, to find a way around the bug. It immediately recorded a hack that bypassed the firewall. “It was the first time, really, that I had a threat that I didn’t understand,” says Carroll. I had to go back and read what Claude wrote to understand the passage, because I didn’t write it down.

Claude discovered that a “SQL query”—an SQL query within another SQL query—can evade firewall detection. In no time the AI ​​tool was writing scripts that displayed samples from a database of 500 customer data. All in all, Carroll believes the vulnerability he and Claude found would have provided access to information about millions of customers, including names, email addresses, and addresses — but not credit card information — as well as Front Gate employees.

With access to employee information, Carroll quickly discovered that he could also take over employee accounts. He searched for the super administrator account, clicked on the option to change his password, and found a recovery code that the site sent to the administrator’s email stored on the backend of the site. He then used it to confirm the reset, set a new password and take over the administrator account.

Soon they are looking for the most expensive tickets they can find for Bonnaroo and adding them as standard tickets to the shopping cart. “It seems like you can do this for anything you want,” Carroll says. (He did not finish ordering and handing out any tickets for fear of crossing the line and being accused of fraud.)

Carroll was surprised to see how simple his hacking method was: No two-factor authentication prevents low-level, stolen, or guessed passwords to give someone enough access. “There’s only this one company that’s offering all the tickets for every festival,” says Carroll. “And even without this risk, if you know someone’s password, you can just log in without authentication and issue free tickets.”

Perhaps the biggest surprise, says Carroll, is that Front Gate doesn’t seem to have properly evaluated its vulnerable sites, whether it’s human hunters or AIs that seem to make the process of finding the virus easier.

“It makes sense when you think that the art music festivals with the art pages are doing well,” says Carroll. “Then you get lucky, and you realize it’s all held together with tape and prayers.”



Source link

اترك ردّاً

لن يتم نشر عنوان بريدك الإلكتروني. الحقول الإلزامية مشار إليها بـ *