‼️H&R Block Business 2025 Backdoor‼️
I found a TLS backdoor in H&R Block software. They install a wildcard root CA (expiry 2049) into your trusted root certificate store and include the private key in the application DLL.
Lmao @Hacker0x01 told me the backdoor was known "through internal security assessments" and they're "closing this report as out of scope". But now are pissed I disclosed it. Nobody should use this joke of a platform who put the interests of companies over that of users.
Update: @Hacker0x01 replied to my email and I have my response inline. I hope this is the last I will hear about this because frankly I do not have the time or energy to care any more about this than what I have already done.
