Tell HN: H&R Block tax software installs a TLS backdoor

Just a PSA for folks here in the US because tax season is coming up and some of you may be using H&R Block Business 2025. I discovered that the software installs a root CA named "WK ATX ServerHost 2024" (expiry 2049) into your local machine trusted root certificate store. They also helpfully include the private key to this certificate in a DLL file. This certificate does not identify itself as "H&R Block" anywhere and does not get uninstalled when you uninstall the software.

I've been able to successfully use this root CA + mitmproxy to manipulate TLS traffic on a brand new virtual machine on the same network with a DNS spoofing attack. Demo: https://www.youtube.com/watch?v=5paxvYkz1QE

To test if your machine is vulnerable visit this page: https://hrbackdoor.yifanlu.com and if you do not get any warning or error message from your browser then you have the backdoor installed. If your browser does complain, you can choose to visit the page anyways for more details on the vulnerability.

Is it negligence or a "real" back door? It's impossible to tell and since the private key is out there, anyone can use it so the point is moot. There is no legitimate reason why they need to install a wildcard root CA under a different name. When I contacted them about it their statement includes "similar findings have been identified through internal security assessments" meaning they know about this issue but have not fixed it. I would not trust H&R Block software at this point.

If you didn't get bit by this, congratulations. See this post as a reminder to audit your trusted root CA store.

143 points | by yifanlu 3 days ago

12 comments

  • larrybud 6 hours ago
    No evidence of this on my windows 11 system, but I'm running the personal HRB software, not business.

    Also, a internet search for "WK ATX ServerHost 2024" shows that this certificate is likely related to some other tax software from Walters Kluwer. See https://www.wolterskluwer.com/en/solutions/atx, https://files.cchsfs.com/doc/atx/2024/Help/Content/Both-SSou... and https://support.atxinc.com/

  • raw_anon_1111 3 days ago
    When will these companies learn?

    https://michael.team/zoom/

  • jwang987 5 hours ago
    Users should not need to trust the software blindly, otherwise it's better just to use AI to file tax by yourself
  • WarOnPrivacy 2 days ago 

        "If you have an SSL error in your H&R Block Software, 
    here’s what you need to know."
    https://www.hrblock.com/tax-center/support/software/technica...
  • giantg2 1 day ago
    I'm wondering if download source matters. Seems like most are downloaded straight from their site, but curious if they still offer CDs or if sellers like Amazon have the direct installer downloads.
  • TheClassic 2 days ago
    I have the non-business edition installed and still get a privacy error attempting to load your page, so this seems specific to the business edition. Thanks for the heads up.
  • altairprime 3 days ago
    Curious: is it carrying a SHA-1 self-signature?
  • musicale 2 days ago
    Welcome to CrapOS 26H1! We think you'll love it. Also, if you install tax software it might enable anyone to read all of your "encrypted" TLS connections regardless of what browser or app you might be using.

    Click "I AGREE" to accept this as part of our mandatory user abuse and subjugation agreement.

  • GoldenMonkey 2 days ago
    Aren't mac's more secure by default. Receive the warning using mac with h&r block 2025 installed.
    [-]
    • snarkanon 1 day ago
      These stupid tax software companies' business editions seem to support only MS-Windows. No idea why, they already support macOS on other editions.

      Anyone know of any business editions available on macOS?

      [-]
      • majorchord 1 day ago
        > No idea why

        Probably because business users on macs are a rounding error, no offense.

  • sloaken 3 days ago
    Thanks for the warning.
  • cochinescu 3 days ago
    [dead]