H&R Block's tax software installs a root CA certificate with an embedded private key, creating a TLS backdoor that allows man-in-the-middle attacks. The certificate remains installed even after software uninstallation and can be exploited to intercept encrypted traffic. This serious security vulnerability affects H&R Block Business 2025 users during tax season.
Background
TLS certificates are used to secure internet communications, and root certificates are trusted authorities that validate website identities. Installing a root CA with a private key compromises the entire certificate trust system.
- Source
- Lobsters
- Published
- Mar 21, 2026 at 02:14 PM
- Score
- 8.0 / 10