In its response to WIRED, Front Gate’s spokesperson argued that the company’s security safeguards limited the exposure of personal information, that the fraudulent issuing of tickets would have left an audit trail, and that tickets issued by a hacker would have been detected and canceled before they could be used. Carroll counters that those claims are uncertain at best. He says he successfully gained super-administrator privileges on the company’s platform without any discernible response from the company, and did in fact access the site via a public-facing login portal.
Carroll also notes that Front Gate doesn’t claim to have evidence the vulnerability wasn’t previously exploited. What’s more, Front Gate confirmed Carroll’s findings after he shared a draft of a blog post about his discovery with the company, prior to WIRED reaching out to Front Gate. In its response to Carroll at the time, the company didn’t dispute that he was able to generate tickets at will.
Carroll says he first became aware of Front Gate a couple of months ago, when he was considering attending Electric Daisy Carnival, a giant electronic dance music festival in his hometown of Las Vegas. He saw that the festival’s ticketing was run by Front Gate and was intrigued to see when he checked other festivals’ websites that the same company ran ticketing for practically every major US music festival other than Coachella. “This is like Ticketmaster but for music festivals,” he remembers thinking. “They have the monopoly, essentially.”
A list of music festivals Carroll found in Front Gate Tickets' system. (Although they're marked as 2025, Carroll says clicking through revealed event dates for 2026.)
As a security researcher who specializes in finding web vulnerabilities, he decided to poke around Front Gate’s web domain for bugs. He quickly found what looked like a SQL injection vulnerability—a common flaw that allows a hacker to input commands into a text field on a website, causing them to run on the site’s backend and sometimes send back data stored there in a database. But a web application firewall on the site appeared to be blocking him from exploiting it.
So he asked Claude Opus 4.7, the most advanced AI model Anthropic made available to the general public at the time, to find a way to exploit the flaw. It immediately coded a hacking technique that bypassed the firewall. “It was the first time, really, that I had a vulnerability that I didn't fully understand,” says Carroll. “I had to go back and read what Claude had written to understand the bypass, because I didn't write it. Claude did it completely by itself.”
Claude had, in fact, found that a “nested SQL query”—a SQL query inside of another SQL query—could evade the firewall’s detection. Soon the AI tool had written a script that displayed samples from a table of 500 databases of exposed customer information. In total, Carroll believes that the vulnerability he and Claude found would have provided access to the information of millions of customers, including names, emails, and mailing addresses—but not credit card details—as well as that of Front Gate’s staff.
With access to staff data, Carroll quickly found that he could also take over staff accounts. He searched for a super administrator’s account, clicked the option to reset its password, and was able to find the reset code that the site had sent to the administrator’s email stored in the site’s backend. He then used it to confirm the reset, setting a new password and taking over the administrator’s account.
Soon he was looking at the most expensive tickets he could find for Bonnaroo and adding them as comp tickets to a kind of shopping cart. “It seems like you could do that for every single event that you wanted to,” Carroll says. (He didn’t actually complete an order and issue any tickets for fear of crossing a line and being charged with fraud.)
Carroll was surprised to see just how easy his takeover method was: No two-factor authentication prevented a leaked, stolen, or guessed password from giving someone full access. “There's just this one centralized company issuing all tickets for every single festival,” Carroll says. “And even without this vulnerability, if you knew someone's password, you could just log in without any verification and issue free tickets.”
Perhaps most remarkable, Carroll says, is that Front Gate didn’t appear to have properly audited its own site for simple vulnerabilities, either with human hunters or the AI ones that seem to now make the bug-finding process scarily easy.
“It just feels concerning when you think these very professional music festivals with professional websites are well-run,” says Carroll. “Then you get access, and you realize it's all held together by duct tape and prayers.”