Yifan5d ago

‼️H&R Block Business 2025 Backdoor‼️

I found a TLS backdoor in H&R Block software. They install a wildcard root CA (expiry 2049) into your trusted root certificate store and include the private key in the application DLL.

https://www.youtube.com/watch?v=5paxvYkz1QE

https://hrbackdoor.yifanlu.com

H&R Block Business 2025 Backdoor Exposed

YouTube
Show threadYifan
Lmao @Hacker0x01 told me the backdoor was known "through internal security assessments" and they're "closing this report as out of scope". But now are pissed I disclosed it. Nobody should use this joke of a platform who put the interests of companies over that of users.
Mar 24 at 3:08pmIvory for iOS
Show threadYifan16h ago
Update: @Hacker0x01 replied to my email and I have my response inline. I hope this is the last I will hear about this because frankly I do not have the time or energy to care any more about this than what I have already done.
Show threadYifan13h ago
🫠
Show threadCliff'sEsportCorner9h ago
@yifanlu its late and I might be confused, but you never were part of the program were you? Or did you have to sign up just to report it? I grok that was the only channel you could find to communicate it.
Show threadYifan9h ago
@CliffsEsport exactly, I had to sign up to report this bug. There was no mention of a bug bounty anywhere. I just wanted to disclose a vulnerability lmao
Show threadKevin Karhan 6h ago

@yifanlu @CliffsEsport this is why #ValueRemoving #RentSeekers like #HackerOne are bad.

  • I literally had 0 replies or even acknowledgements from anyone when I reported something and if companies can't be assed to provide a proper eMail and Pubkey per security.txt then they certainly didn't even try to fake to give a shit.
    • And I mean evidently bad stuff, like connection attempts through their network from bogus IP addresses (i.e. RFC1918 despite not even being CGNAT, US DoD addresses that ain't even route-able)…
security.txt

A proposed standard that allows websites to define security policies.

security.txt
Show threadzopieux5h ago

@yifanlu
"No, I'm kicking *you* out first!" What a sad joke of a platform. It's always funny to see just how woefully ill-equipped the industry is at dealing with people who aren't solely driven by financial gain or fame.

Thanks for standing tall over this mascarade and bringing this to the public.

Show threadLi ~ Crystal System3h ago
@yifanlu i've kinda always thought 'responsible disclosure' and especially hackerone was primarily serving corporate interests .. and ugh i hate being right sometimes 🙃
Show threadmodrobert15h ago
@yifanlu I remember an RCE being out of scope, some of their bug bounty programs have strange conditions.
Show threadmodrobert15h ago
@yifanlu BTW: https://cybersecuritynews.com/hackerone-data-breach/
HackerOne Data Breach - Employees Data Stolen Following Navia Hack

HackerOne recently disclosed a data breach affecting 287 of its employees following a cyberattack on its U.S. benefits administrator, Navia Benefit Solutions.

Cyber Security News