Ian Carroll (born March 16, 2000) is an American ethical hacker, bug bounty hunter, and security researcher. He is the founder of the award-flight search engine Seats.aero and is known for uncovering critical cybersecurity vulnerabilities in the aviation, automotive, and hospitality industries.
Biography
Carroll began reporting security flaws as a teenager and later held engineering roles at Dropbox and Robinhood, where he led portions of the companiesâ vulnerability disclosure and bug bounty initiatives.
Seats.aero (2022âÂÂpresent)
Carroll launched Seats.aero in June 2022 as a tool for finding real-time award-flight availability across dozens of loyalty programs. Within a year the site surpassed one million monthly page views and was hailed by AwardWallet as âÂÂone of the best new points-and-miles utilities.â In October 2023, Air Canada sued Carroll and Seats.aero under the Computer Fraud and Abuse Act over automated scraping of award-fare data; a U.S. judge denied the airline's request for a preliminary injunction in March 2024, allowing the site to continue operating while litigation proceeds.
Notable security research
- Points.com loyalty platform (2023). Carroll, with Sam Curry and others, identified API flaws that could let attackers commandeer airline and hotel loyalty accounts or mint unlimited miles before the vendor deployed fixes.
- Automotive APIs (2022). As part of a research group, Carroll helped reveal remote control and tracking vulnerabilities affecting more than a dozen car brands, including BMW, Ford, and Porsche.
- âÂÂUnsaflokâ hotel locks (2024). Together with Belgian researcher Lennert Wouters, Carroll disclosed weaknesses in Dormakaba Saflok RFID door locksâÂÂinstalled on over three million hotel doorsâÂÂallowing near-instant unauthorized entry. Full technical details were presented at DEF CON 32.
- TSA Known Crewmember/CASS SQL injection (2024). Carroll documented an injection flaw in the FlyCASS portal that could grant unauthorized âÂÂcrewâ status, potentially bypassing airport security.
- McDonald's hiring bot breach (2025). Carroll and Sam Curry found that Paradox.ai's McHire platform was protected by the username âÂÂadminâ and password âÂÂ123456,â exposing tens of millions of applicant records.
Talks
- DEF CON 32 (Las Vegas, 2024) â âÂÂUnsaflok: Hacking millions of hotel locksâ (with Lennert Wouters).
Publications
- âÂÂBypassing airport security via SQL injection,â *ian.sh*, 2024.
- Lily Newman, "Hackers Could Have Scored Unlimited Airline Miles by Targeting One Platform," *Wired*, 2023.
- Andy Greenberg, âÂÂHackers Found a Way to Open Any of 3 Million Hotel Keycard Locks in Seconds,â *Wired*, 2024.
- Andy Greenberg, âÂÂMcDonaldâÂÂs AI Hiring Bot Exposed Millions of Applicantsâ Data to Hackers Who Tried the Password âÂÂ123456âÂÂ,â *Wired*, 2025.
References