Schneier on Security

Clive Robinson • March 20, 2026 9:55 PM

@ All US tax payers.

US Tax Software has a serious backdoor in it that is not being addressed or fixed.

Yup as it’s getting toward that time when you have to do your tax a lot of US taxpayers world wide turn toward software for assistance.

Well it turns out one supplier is sending it out with a significant back door they are not addressing…

Worse they have included the private key so anyone can use the back door to do things you would rather they could not[1].

The person who found it says of it,

H&R Block tax software installs a TLS backdoor

“here in the US because tax season is coming up and some of you may be using H&R Block Business 2025. I discovered that the software installs a root CA named “WK ATX ServerHost 2024” (expiry 2049) into your local machine trusted root certificate store. They also helpfully include the private key to this certificate in a DLL file. This certificate does not identify itself as “H&R Block” anywhere and does not get uninstalled when you uninstall the software.

I’ve been able to successfully use this root CA + mitmproxy to manipulate TLS traffic on a brand new virtual machine on the same network with a DNS spoofing attack.”

Read the rest at,

https://news.ycombinator.com/item?id=47457162

[1] This sort of backdoor is why I talk about using two computers that are “suitably gapped” with,

1, One used to do Private things and never gets connected to any external communications.

2, The second being used to connect to external communications but is never used for Private things.

This way such “back doors” can not be reached or (ab)used.