H&R Block tax software installs a TLS root certificate with bundled private key
18 points by jmillikin
18 points by jmillikin
To test if your machine is vulnerable visit this page: https://hrbackdoor.yifanlu.com and if you do not get any warning or error message from your browser then you have the backdoor installed. If your browser does complain, you can choose to visit the page anyways for more details on the vulnerability.
Wow, @ the H&R Block response:
After review with the program team, we're closing this report as out of scope. The reported issue involves an executable application that falls outside our defined program scope, and similar findings have been identified through internal security assessments.
Not only is it hard to imagine someone approving this kind of thing, I'm having a hard time imagining why they thought they needed to do it.
Conspiracy-fueling observation: there was a sale on Microsoft 365 where it was cheaper if you bought it bundled with H&R Block tax software, i.e. they essentially paid you $20 if you accepted a (digital) copy of H&R Block with your M365.