Claude Helped a Hacker Discover a Method to Concern Tickets to Virtually Each US Music Pageant


As a safety researcher who makes a speciality of discovering internet vulnerabilities, he determined to poke round Entrance Gate’s internet area for bugs. He rapidly discovered what regarded like a SQL injection vulnerability—a typical flaw that permits a hacker to enter instructions right into a textual content discipline on a web site, inflicting them to run on the web site’s backend and typically ship again information saved there in a database. However an internet utility firewall on the web site appeared to be blocking him from exploiting it.

So he requested Claude Opus 4.7, the most superior AI mannequin Anthropic made obtainable to the normal public at the time, to discover a method to exploit the flaw. It instantly coded a hacking method that bypassed the firewall. “It was the first time, actually, that I had a vulnerability that I did not absolutely perceive,” says Carroll. “I had to return and browse what Claude had written to perceive the bypass, as a result of I did not write it. Claude did it utterly by itself.”

Claude had, in truth, discovered {that a} “nested SQL question”—a SQL question within one other SQL question—may evade the firewall’s detection. Quickly the AI device had written a script that displayed samples from a desk of 500 databases of uncovered buyer information. In complete, Carroll believes that the vulnerability he and Claude discovered would have offered entry to the information of hundreds of thousands of consumers, together with names, emails, and mailing addresses—however not bank card details—in addition to that of Entrance Gate’s workers.

With entry to workers information, Carroll rapidly discovered that he may additionally take over workers accounts. He looked for a brilliant administrator’s account, clicked the possibility to reset its password, and was in a position to discover the reset code that the web site had despatched to the administrator’s electronic mail saved in the web site’s backend. He then used it to affirm the reset, setting a brand new password and taking on the administrator’s account.

Quickly he was taking a look at the most costly tickets he may discover for Bonnaroo and including them as comp tickets to a form of procuring cart. “It looks as if you would try this for each single occasion that you simply wished to,” Carroll says. (He didn’t really full an order and situation any tickets for worry of crossing a line and being charged with fraud.)

Carroll was shocked to see simply how simple his takeover methodology was: No two-factor authentication prevented a leaked, stolen, or guessed password from giving somebody full entry. “There’s simply this one centralized firm issuing all tickets for each single pageant,” Carroll says. “And even with out this vulnerability, should you knew somebody’s password, you would simply log in with none verification and situation free tickets.”

Maybe most exceptional, Carroll says, is that Entrance Gate didn’t seem to have correctly audited its personal web site for easy vulnerabilities, both with human hunters or the AI ones that appear to now make the bug-finding course of scarily simple.

“It simply feels regarding once you suppose these very skilled music festivals with skilled web sites are well-run,” says Carroll. “You then get entry, and also you notice it is all held collectively by duct tape and prayers.”




Disclaimer: This article is sourced from external platforms. OverBeta has not independently verified the information. Readers are advised to verify details before relying on them.

0
Show Comments (0) Hide Comments (0)
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments

Stay Updated!

Subscribe to get the latest blog posts, news, and updates delivered straight to your inbox.