Yifan‼️H&R Block Business 2025 Backdoor‼️
I found a TLS backdoor in H&R Block software. They install a wildcard root CA (expiry 2049) into your trusted root certificate store and include the private key in the application DLL.
YouTube
Lmao @Hacker0x01 told me the backdoor was known "through internal security assessments" and they're "closing this report as out of scope". But now are pissed I disclosed it. Nobody should use this joke of a platform who put the interests of companies over that of users.
Update: @Hacker0x01 replied to my email and I have my response inline. I hope this is the last I will hear about this because frankly I do not have the time or energy to care any more about this than what I have already done.
Cliff'sEsportCorner@yifanlu its late and I might be confused, but you never were part of the program were you? Or did you have to sign up just to report it? I grok that was the only channel you could find to communicate it.
@CliffsEsport exactly, I had to sign up to report this bug. There was no mention of a bug bounty anywhere. I just wanted to disclose a vulnerability lmao
Kevin Karhan 
@yifanlu @CliffsEsport this is why #ValueRemoving #RentSeekers like #HackerOne are bad.
- I literally had 0 replies or even acknowledgements from anyone when I reported something and if companies can't be assed to provide a proper eMail and Pubkey per
security.txtthen they certainly didn't even try to fake to give a shit.- And I mean evidently bad stuff, like connection attempts through their network from bogus IP addresses (i.e. RFC1918 despite not even being CGNAT, US DoD addresses that ain't even route-able)…
