He seems credible at my level of unknowingness. There are Google bits out there about his being featured on ROGAN, which will likely be an automatic disqualifier here - hey, "freedom of association"? and Stopped Clock?
********QUOTE*******
https://en.wikipedia.org/wiki/Ian_Carroll_(software_developer)#References
Ian Carroll (born March 16, 2000) is an American ethical hacker, bug bounty hunter, and security researcher. He is the founder of the award-flight search engine Seats.aero and is known for uncovering critical cybersecurity vulnerabilities in the aviation, automotive, and hospitality industries.[1][2][3]
Biography
Carroll began reporting security flaws as a teenager and later held engineering roles at Dropbox and Robinhood, where he led portions of the companies’ vulnerability disclosure and bug bounty initiatives.[4]
Seats.aero (2022–present)
Carroll launched Seats.aero in June 2022 as a tool for finding real-time award-flight availability across dozens of loyalty programs. Within a year the site surpassed one million monthly page views and was hailed by AwardWallet as “one of the best new points-and-miles utilities.”[5] In October 2023, Air Canada sued Carroll and Seats.aero under the Computer Fraud and Abuse Act over automated scraping of award-fare data; a U.S. judge denied the airline's request for a preliminary injunction in March 2024, allowing the site to continue operating while litigation proceeds.[6]
Notable security research
Points.com loyalty platform (2023). Carroll, with Sam Curry and others, identified API flaws that could let attackers commandeer airline and hotel loyalty accounts or mint unlimited miles before the vendor deployed fixes.[1]
Automotive APIs (2022). As part of a research group, Carroll helped reveal remote control and tracking vulnerabilities affecting more than a dozen car brands, including BMW, Ford, and Porsche.[7]
“Unsaflok” hotel locks (2024). Together with Belgian researcher Lennert Wouters, Carroll disclosed weaknesses in Dormakaba Saflok RFID door locks—installed on over three million hotel doors—allowing near-instant unauthorized entry.[2] Full technical details were presented at DEF CON 32.[8]
TSA Known Crewmember/CASS SQL injection (2024). Carroll documented an injection flaw in the FlyCASS portal that could grant unauthorized “crew” status, potentially bypassing airport security.[9]
McDonald's hiring bot breach (2025). Carroll and Sam Curry found that Paradox.ai's McHire platform was protected by the username “admin” and password “123456,” exposing tens of millions of applicant records.[3]
*********UNQUOTE***
= new reply since forum marked as read
