AI Assisted SQL Injection Exploit Compromises Major Event Ticketing Platform

An AI model helped a security researcher bypass a web application firewall and exploit a SQL injection vulnerability in a major ticketing platform used by Live Nation and Ticketmaster.

CSBadmin
2 Min Read

Vulnerability Discovery and Exploitation

A researcher discovered a critical unauthenticated SQL injection vulnerability within Front Gate Tickets (FGT), a subsidiary of Live Nation and Ticketmaster that handles ticketing for major US festivals like EDC, Bonnaroo, and Outside Lands. While testing the fgtapi.frontgatetickets.com API, the researcher found that any endpoint containing the word “device” triggered an error requiring a deviceUID parameter, which was directly concatenated into a raw SQL query without sanitization. Initial attempts to exploit this using conventional tools like sqlmap failed because the endpoint was protected by an AWS Web Application Firewall (WAF).

AI Assisted Bypass and Data Extraction

The researcher then utilized Claude Code running the Opus model, which identified a method to bypass the WAF by nesting injection payloads inside a derived subquery. Claude engineered a boolean based blind SQL injection technique that exploited a MySQL quirk where adding a string like ‘x’ to a number coerces to zero. By crafting specific payloads, the response toggled between two real device names, creating a reliable oracle for extracting data one bit at a time from the underlying fgs database, which contained over 500 tables including staff credentials and customer records.

Impact and Scope

By reading a live entry from the RESET_TOKEN table after triggering a password reset, the researcher hijacked an administrator account without knowing its password, gaining full write access to every festival on the platform. This access allowed issuing unlimited free tickets, searching customer order databases, and redeeming password reset tokens to hijack staff and customer accounts platform wide. Front Gate Tickets and Live Nation had no publicly listed security contact, forcing the researcher to guess a valid disclosure email. The vendor reportedly fixed the flaw quickly and indicated a bug bounty program is forthcoming.

Source: Cyber Security News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.