YifanMar 20

‼️H&R Block Business 2025 Backdoor‼️

I found a TLS backdoor in H&R Block software. They install a wildcard root CA (expiry 2049) into your trusted root certificate store and include the private key in the application DLL.

https://www.youtube.com/watch?v=5paxvYkz1QE

https://hrbackdoor.yifanlu.com

H&R Block Business 2025 Backdoor Exposed

YouTube
Cliff'sEsportCorner1d ago
Show threadYifan
Lmao @Hacker0x01 told me the backdoor was known "through internal security assessments" and they're "closing this report as out of scope". But now are pissed I disclosed it. Nobody should use this joke of a platform who put the interests of companies over that of users.
Mar 24 at 3:08pmIvory for iOS
Show threadYifan1d ago
Update: @Hacker0x01 replied to my email and I have my response inline. I hope this is the last I will hear about this because frankly I do not have the time or energy to care any more about this than what I have already done.
Show threadYifan1d ago
🫠
Show threadCliff'sEsportCorner1d ago
@yifanlu its late and I might be confused, but you never were part of the program were you? Or did you have to sign up just to report it? I grok that was the only channel you could find to communicate it.
Show threadYifan1d ago
@CliffsEsport exactly, I had to sign up to report this bug. There was no mention of a bug bounty anywhere. I just wanted to disclose a vulnerability lmao
Show threadKevin Karhan 1d ago

@yifanlu @CliffsEsport this is why #ValueRemoving #RentSeekers like #HackerOne are bad.

  • I literally had 0 replies or even acknowledgements from anyone when I reported something and if companies can't be assed to provide a proper eMail and Pubkey per security.txt then they certainly didn't even try to fake to give a shit.
    • And I mean evidently bad stuff, like connection attempts through their network from bogus IP addresses (i.e. RFC1918 despite not even being CGNAT, US DoD addresses that ain't even route-able)…
security.txt

A proposed standard that allows websites to define security policies.

security.txt
Show threadzopieux1d ago

@yifanlu
"No, I'm kicking *you* out first!" What a sad joke of a platform. It's always funny to see just how woefully ill-equipped the industry is at dealing with people who aren't solely driven by financial gain or fame.

Thanks for standing tall over this mascarade and bringing this to the public.

Show threadLi ~ Crystal System1d ago
@yifanlu i've kinda always thought 'responsible disclosure' and especially hackerone was primarily serving corporate interests .. and ugh i hate being right sometimes 🙃
Show threadComrade elronxenu5h ago
@yifanlu "You can't quit, we're firing you!"
Show threadmodrobert1d ago
@yifanlu I remember an RCE being out of scope, some of their bug bounty programs have strange conditions.
Show threadmodrobert1d ago
@yifanlu BTW: https://cybersecuritynews.com/hackerone-data-breach/
HackerOne Data Breach - Employees Data Stolen Following Navia Hack

HackerOne recently disclosed a data breach affecting 287 of its employees following a cyberattack on its U.S. benefits administrator, Navia Benefit Solutions.

Cyber Security News