Tell HN: H&R Block tax software installs a TLS backdoor
Just a PSA for folks here in the US because tax season is coming up and some of you may be using H&R Block Business 2025. I discovered that the software installs a root CA named "WK ATX ServerHost 2024" (expiry 2049) into your local machine trusted root certificate store. They also helpfully include the private key to this certificate in a DLL file. This certificate does not identify itself as "H&R Block" anywhere and does not get uninstalled when you uninstall the software.
I've been able to successfully use this root CA + mitmproxy to manipulate TLS traffic on a brand new virtual machine on the same network with a DNS spoofing attack. Demo: https://www.youtube.com/watch?v=5paxvYkz1QE
To test if your machine is vulnerable visit this page: https://hrbackdoor.yifanlu.com and if you do not get any warning or error message from your browser then you have the backdoor installed. If your browser does complain, you can choose to visit the page anyways for more details on the vulnerability.
Is it negligence or a "real" back door? It's impossible to tell and since the private key is out there, anyone can use it so the point is moot. There is no legitimate reason why they need to install a wildcard root CA under a different name. When I contacted them about it their statement includes "similar findings have been identified through internal security assessments" meaning they know about this issue but have not fixed it. I would not trust H&R Block software at this point.
If you didn't get bit by this, congratulations. See this post as a reminder to audit your trusted root CA store. When will these companies learn? I have the non-business edition installed and still get a privacy error attempting to load your page, so this seems specific to the business edition. Thanks for the heads up. No evidence of this on my windows 11 system, but I'm running the personal HRB software, not business. Also, a internet search for "WK ATX ServerHost 2024" shows that this certificate is likely related to some other tax software from Walters Kluwer. See https://www.wolterskluwer.com/en/solutions/atx, https://files.cchsfs.com/doc/atx/2024/Help/Content/Both-SSou... and https://support.atxinc.com/ What exactly do you mean by “H&R Block Business 2025”, as such a version doesn’t exist. Is this a reference to the “H&R Block Premium & Business 2025” software? And is it the installed version, I assume, or the online version? Clarity really would help as Steve Gibson is flailing about wildly with this limited info and implying that all H&R Block 2025 tax software is affected https://www.newegg.com/p/N82E16832732208 ^ This software It installs two separate programs in the installer: H&R Block Premium + State 2025 and H&R Block Business 2025. The first one you can buy separately. The second can only be bought as part of a bundle like from Newegg. The only software I've tested to contain this issue is the Business version. The Premium + State one does NOT have it but I have not spent any time looking for other security issues so I cannot attest there is no other issue. I know it's confusing and that's why I've set up the website for people to easily test to see if they're vulnerable. (Also you can check the video to see both software get installed by the installer you download once you purchase the bundle.) Curious: is it carrying a SHA-1 self-signature? Welcome to CrapOS 26H1! We think you'll love it. Also, if you install tax software it might enable anyone to read all of your "encrypted" TLS connections regardless of what browser or app you might be using. Click "I AGREE" to accept this as part of our mandatory user abuse and subjugation agreement. I'm wondering if download source matters. Seems like most are downloaded straight from their site, but curious if they still offer CDs or if sellers like Amazon have the direct installer downloads. Users should not need to trust the software blindly, otherwise it's better just to use AI to file tax by yourself Aren't mac's more secure by default. Receive the warning using mac with h&r block 2025 installed. These stupid tax software companies' business editions seem to support only MS-Windows. No idea why, they already support macOS on other editions. Anyone know of any business editions available on macOS? > No idea why Probably because business users on macs are a rounding error, no offense. Thanks for the warning. I'm old enough to remember when TurboTax overwrote your boot sector. Point being, I'm old and tax software has been doing scummy things for decades.
https://www.hrblock.com/tax-center/support/software/technica... "If you have an SSL error in your H&R Block Software,
here’s what you need to know."