Wikipedia

Ian Carroll (software developer): Difference between revisions

Browse history interactively
Content deleted Content added
VisualWikitext
Magistr8 (talk | contribs)
24 edits
Created Ian Carroll wikipedia (first issue)
 
 
(6 intermediate revisions by 6 users not shown)
Line 1:
{{Short description|American computer security researcher}}
 
{{Infobox person
| name = Ian Carroll
| image = <!-- no free image available -->
| caption = Carroll in 2024
| birth_date = {{Birth date and age|19992000|3|16}}
| birth_place = <!-- not publicly disclosed -->
| nationality = {{flag|United States}}
Line 12 ⟶ 11:
}}
 
'''Ian Carroll''' (born March 16, 19992000) is an American [[ethical hacker]], bug bounty hunter, and security researcher. He is the founder of the award-flight search engine Seats.aero and is known for uncovering critical cybersecurity vulnerabilities in the aviation, automotive, and hospitality industries.<ref name="WiredMiles">{{cite web |last=Newman |first=Lily |title=Hackers Could Have Scored Unlimited Airline Miles by Targeting One Platform |url=https://www.wired.com/story/points-travel-rewards-platform-flaws/ |website=Wired |publisher=Condé Nast |date=3 August 2023 |access-date=14 July 2025}}</ref><ref name="WiredSaflok">{{cite web |last=Greenberg |first=Andy |title=Hackers Found a Way to Open Any of 3 Million Hotel Keycard Locks in Seconds |url=https://www.wired.com/story/saflok-hotel-lock-unsaflok-hack-technique/ |website=Wired |publisher=Condé Nast |date=21 March 2024 |access-date=14 July 2025}}</ref><ref name="WiredMcDonalds">{{cite web |last=Greenberg |first=Andy |title=McDonald’s AI Hiring Bot Exposed Millions of Applicants’ Data to Hackers Who Tried the Password ‘123456’ |url=https://www.wired.com/story/mcdonalds-ai-hiring-chat-bot-paradoxai/ |website=Wired |publisher=Condé Nast |date=9 July 2025 |access-date=14 July 2025}}</ref>
 
== Biography ==
Carroll began reporting security flaws as a teenager and later held engineering roles at Dropbox and Robinhood, where he led portions of the companies’ vulnerability disclosure and bug bounty initiatives.<ref>{{cite web |title=Ian Carroll – Profile |url=https://www.linkedin.com/in/ian-carroll-a56b8758/ |website=LinkedIn |publisher=LinkedIn |access-date=14 July 2025}}[[Wikipedia:SPS|{{sup|[''self-published'']}}]]</ref>
 
=== Seats.aero (2022–present) ===
Carroll launched '''Seats.aero''' in June 2022 as a tool for finding real-time award-flight availability across dozens of loyalty programs. Within a year the site surpassed one million monthly page views and was hailed by AwardWallet as “one of the best new points-and-miles utilities.”<ref>{{cite web |title=Seats.aero Review – The New Award Search Tool You Need |url=https://awardwallet.com/blog/seats-aero-review |website=AwardWallet |publisher=AwardWallet |date=4 September 2023 |access-date=14 July 2025}}</ref>
In October 2023, Air Canada sued Carroll and Seats.aero under the [[Computer Fraud and Abuse Act]] over automated scraping of award-fare data; a U.S. judge denied the airline’sairline's request for a preliminary injunction in March 2024, allowing the site to continue operating while litigation proceeds.<ref>{{cite news |title=Air Canada Sues Award-Search Start-Up Over Data Scraping |url=https://www.bloomberglaw.com/aircanada-seats-aero-lawsuit |work=Bloomberg Law |publisher=Bloomberg L.P. |date=27 October 2023 |access-date=14 July 2025}}</ref>
 
=== Notable security research ===
Line 25 ⟶ 24:
* '''Automotive APIs (2022).''' As part of a research group, Carroll helped reveal remote control and tracking vulnerabilities affecting more than a dozen car brands, including BMW, Ford, and Porsche.<ref>{{cite web |title=Research Team Finds Flaws in 16 Auto Manufacturers’ APIs |url=https://thehackernews.com/2022/12/siriusxm-vulnerability-lets-hackers.html |website=The Hacker News |publisher=THN |date=2 December 2022 |access-date=14 July 2025}}</ref>
* '''“Unsaflok” hotel locks (2024).''' Together with Belgian researcher Lennert Wouters, Carroll disclosed weaknesses in Dormakaba Saflok RFID door locks—installed on over three million hotel doors—allowing near-instant unauthorized entry.<ref name="WiredSaflok" /> Full technical details were presented at [[DEF CON]] 32.<ref name="DEFCONUnsaflok">{{cite web |title=DEF CON 32 – Unsaflok: Hacking Millions of Hotel Locks |url=https://defcon.org/html/defcon-32/dc-32-speakers.html#Carroll |website=DEF CON |publisher=DEF CON Communications |access-date=14 July 2025}}</ref>
* '''TSA Known Crewmember/CASS SQL injection (2024).''' Carroll documented an injection flaw in the FlyCASS portal that could grant unauthorized “crew” status, potentially bypassing airport security.<ref name="Carroll">{{cite web |last=Carroll |first=Ian |title=Bypassing airport security via SQL injection |url=https://ian.sh/tsa |website=ian.sh |date=29 August 2024 |access-date=14 July 2025}}</ref>
* '''McDonald’sMcDonald's hiring bot breach (2025).''' Carroll and Sam Curry found that Paradox.ai’sai's McHire platform was protected by the username “admin” and password “123456,” exposing tens of millions of applicant records.<ref name="WiredMcDonalds" />
 
== Talks ==
Line 32 ⟶ 31:
 
== Publications ==
* “Bypassing airport security via SQL injection,” *ian.sh*, 2024.<ref>{{cite web |lastname="Carroll |first=Ian |title=Bypassing airport security via SQL injection |url=https://ian.sh/tsa |website=ian.sh |date=29 August 2024 |access-date=14 July 2025}}<"/ref>
* Lily Newman, "Hackers Could Have Scored Unlimited Airline Miles by Targeting One Platform," *Wired*, 2023.<ref name="WiredMiles" />
* Andy Greenberg, “Hackers Found a Way to Open Any of 3 Million Hotel Keycard Locks in Seconds,” *Wired*, 2024.<ref name="WiredSaflok" />
Line 43 ⟶ 42:
 
{{DEFAULTSORT:Carroll, Ian}}
[[Category:HackersAmerican hackers]]
[[Category:1999 births]]
[[Category:Living people]]
[[Category:AmericanEthical computer security specialistshackers]]
Retrieved from "https://en.wikipedia.org/wiki/Ian_Carroll_(software_developer)"