Tell HN: H&R Block tax software installs a TLS backdoor

157 points by yifanlu ↗ HN
Just a PSA for folks here in the US because tax season is coming up and some of you may be using H&R Block Business 2025. I discovered that the software installs a root CA named "WK ATX ServerHost 2024" (expiry 2049) into your local machine trusted root certificate store. They also helpfully include the private key to this certificate in a DLL file. This certificate does not identify itself as "H&R Block" anywhere and does not get uninstalled when you uninstall the software.

I've been able to successfully use this root CA + mitmproxy to manipulate TLS traffic on a brand new virtual machine on the same network with a DNS spoofing attack. Demo: https://www.youtube.com/watch?v=5paxvYkz1QE

To test if your machine is vulnerable visit this page: https://hrbackdoor.yifanlu.com and if you do not get any warning or error message from your browser then you have the backdoor installed. If your browser does complain, you can choose to visit the page anyways for more details on the vulnerability.

Is it negligence or a "real" back door? It's impossible to tell and since the private key is out there, anyone can use it so the point is moot. There is no legitimate reason why they need to install a wildcard root CA under a different name. When I contacted them about it their statement includes "similar findings have been identified through internal security assessments" meaning they know about this issue but have not fixed it. I would not trust H&R Block software at this point.

If you didn't get bit by this, congratulations. See this post as a reminder to audit your trusted root CA store.

15 comments

[ 2.0 ms ] story [ 42.7 ms ] thread
Thanks for the warning.
Curious: is it carrying a SHA-1 self-signature?
(comment deleted)
I have the non-business edition installed and still get a privacy error attempting to load your page, so this seems specific to the business edition. Thanks for the heads up.
Welcome to CrapOS 26H1! We think you'll love it. Also, if you install tax software it might enable anyone to read all of your "encrypted" TLS connections regardless of what browser or app you might be using.

Click "I AGREE" to accept this as part of our mandatory user abuse and subjugation agreement.

Aren't mac's more secure by default. Receive the warning using mac with h&r block 2025 installed.
I'm wondering if download source matters. Seems like most are downloaded straight from their site, but curious if they still offer CDs or if sellers like Amazon have the direct installer downloads.
Users should not need to trust the software blindly, otherwise it's better just to use AI to file tax by yourself
(comment deleted)
What exactly do you mean by “H&R Block Business 2025”, as such a version doesn’t exist. Is this a reference to the “H&R Block Premium & Business 2025” software? And is it the installed version, I assume, or the online version?

Clarity really would help as Steve Gibson is flailing about wildly with this limited info and implying that all H&R Block 2025 tax software is affected

I'm old enough to remember when TurboTax overwrote your boot sector. Point being, I'm old and tax software has been doing scummy things for decades.