H&R Block TaxCut bogus “password protection”
Unfortunately, I have to resort to using a Windows computer when it comes time to do my taxes. Last year I started using H&R Block TaxCut software for reasons I can’t remember. I think I picked it up at Target for 20 bucks because I knew my taxes were going to start to get hairy. What better than to have some software do most of the grunt work for me.
In most respects, I am completely pleased with the product. And more than likely they’ve lured me into their trap because they conveniently send me a new disk right around tax time, like they did this year for 2007 filing.
So today I had to file an amended return because I figured I could save some cash on the check I was about to write the IRS. While dicking around trying to figure out the terribly unintuitive way to amend a return, I saw an option in the “File” menu for “Password Protection.”
When I have sensitive data on my computer, if it’s seriously sensitive, I usually just use OpenSSL to encrypt it. I feel pretty safe knowing that something is encrypted with a 256-bit AES cipher-block-chained algorithm.
So I chose the password protection, entered one of my stronger passwords and did what I had to do. Later I of course backed up my files over to my linux box and for whatever reason it struck me to check out the contents of the files. Just blobs of data in vim, but then, naturally, run strings on it:
rwoodrum@slard:~$ strings my_taxcut_backup_file ... snip ... int:ui_prop_start_state_tab_screen=0 int:ui_prop_xira_version=1 string:ui_psswd=MY_SUPERSECRET_PASSWORD int:formprop_import_source=1 int:formprop_import_source=1 ... snip ... rwoodrum@slard:~$
Wow. I guess I’m kind of surprised that I’m surprised. I actually thought that since this sort of stuff could be pretty sensitive that they would have some kind of real password protection. Nope. The password is easily recovered by use of the 31337 hacker tool /usr/bin/strings.
I don’t understand why a software company would do this sort of crap. This is what you expect from 10 or 15 years ago. Strong encryption is readily available. Hell at least obfuscate the damn thing. (That sentence is NOT meant to condone security through obscurity, which is a deplorable thing to do.)
So, H&R Block. I challenge you. Make your product safe for thousands of individuals’ important tax data. It’s probably nothing short of misleading to end-users who think that their data is safe.
Word to the wise: If you use this software and are worried about your data, protect it via some other means.
Now… time to encrypt those files by hand…