Matt Organ
Yifan‼️H&R Block Business 2025 Backdoor‼️
I found a TLS backdoor in H&R Block software. They install a wildcard root CA (expiry 2049) into your trusted root certificate store and include the private key in the application DLL.
YouTube
Lmao @Hacker0x01 told me the backdoor was known "through internal security assessments" and they're "closing this report as out of scope". But now are pissed I disclosed it. Nobody should use this joke of a platform who put the interests of companies over that of users.
Update: @Hacker0x01 replied to my email and I have my response inline. I hope this is the last I will hear about this because frankly I do not have the time or energy to care any more about this than what I have already done.
Cliff'sEsportCorner@yifanlu its late and I might be confused, but you never were part of the program were you? Or did you have to sign up just to report it? I grok that was the only channel you could find to communicate it.
@CliffsEsport exactly, I had to sign up to report this bug. There was no mention of a bug bounty anywhere. I just wanted to disclose a vulnerability lmao
Kevin Karhan 
@yifanlu @CliffsEsport this is why #ValueRemoving #RentSeekers like #HackerOne are bad.
- I literally had 0 replies or even acknowledgements from anyone when I reported something and if companies can't be assed to provide a proper eMail and Pubkey per
security.txtthen they certainly didn't even try to fake to give a shit.- And I mean evidently bad stuff, like connection attempts through their network from bogus IP addresses (i.e. RFC1918 despite not even being CGNAT, US DoD addresses that ain't even route-able)…
zopieux@yifanlu
"No, I'm kicking *you* out first!" What a sad joke of a platform. It's always funny to see just how woefully ill-equipped the industry is at dealing with people who aren't solely driven by financial gain or fame.
Thanks for standing tall over this mascarade and bringing this to the public.
Li ~ Crystal System@yifanlu i've kinda always thought 'responsible disclosure' and especially hackerone was primarily serving corporate interests .. and ugh i hate being right sometimes 🙃
Comrade elronxenu@yifanlu "You can't quit, we're firing you!"
aeva
modrobert
Yuri Brainwashing Co.@yifanlu id avoid using ai for thumbnails of security disclosures, given the recent issue of spurious ai cve reports.
endrift 🏳️⚧️@yifanlu I uh. Don't think that thumbnail spelled certificate right
Speed demon 🇪🇺 🇳🇴🇺🇦🇵🇸@yifanlu "and include the private key in the application DLL." Why are they doing that? Is the app supposed to generate new certs?
gudenau
@yifanlu Cool find 😎.
I learned about your disclosure this morning when it made it onto this week's #SecurityNow Ep1071 and then saw it go by here on mastodon not long after.
And yes, why are commercial bug reporting platforms such a PITA to deal with trying to get someone to actually listen. Having a public reporting mechanism feels like such a "box ticking exercise" from their end.
Suriele@yifanlu Uhm ? For real .. ?
For all that moral superiority there was no attempt from you to coordinate with them either.
You just took their response at face value and immediately made a video about it.
No warning them you would publicly disclose if they don't confirm they will fix it, nothing .....
Yeah this ain't it. Be better.
All you did was put people at risk of this being used by malicious actors on them with no available patch.