SAN FRANCISCO, July 2 -- Ian Carroll has spent years finding the kind of security flaws that make institutions uncomfortable, including a widely reported hole in TSA's boarding pass verification system. His latest find, disclosed this week, involves a different kind of access: not a plane, but the backstage gate at nearly every major music festival in the United States.

Carroll discovered an unauthenticated SQL injection vulnerability in the device API of Front Gate Tickets, the Live Nation subsidiary that handles ticketing for festivals including Bonnaroo, Electric Daisy Carnival and Outside Lands. According to his own technical writeup, a parameter called deviceUID was being concatenated directly into database queries without sanitizat...