Yifan‼️H&R Block Business 2025 Backdoor‼️
I found a TLS backdoor in H&R Block software. They install a wildcard root CA (expiry 2049) into your trusted root certificate store and include the private key in the application DLL.
YouTube
Matt Organ@yifanlu Cool find 😎.
I learned about your disclosure this morning when it made it onto this week's #SecurityNow Ep1071 and then saw it go by here on mastodon not long after.
And yes, why are commercial bug reporting platforms such a PITA to deal with trying to get someone to actually listen. Having a public reporting mechanism feels like such a "box ticking exercise" from their end.