## Zerodha Authenticator Logs Expose TOTP Codes, Creating Replay Attack Risk
A critical security vulnerability has been identified within Zerodha's authentication system, where Time-based One-Time Password (TOTP) codes are being written in plain text to debug logs. The exposure occurs in the `authenticator.py` file at line 105, where a debug log statement includes the full `totp_code` as an argument. While each code is only valid for 30 seconds, the standard practice of aggregating logs into systems like Datadog, Splunk, or ELK creates a dangerous window where a malicious actor with real-time log access could intercept and replay a valid code to bypass two-factor authentication.

The flaw is a direct code review finding, flagged as a primary security concern. The current behavior logs the sensitive credential via `log.debug("zerodha_auth.totp_generated", code=totp_code)`. The proposed fix is to immediately remove the `code=totp_code` argument from the log call. To maintain operational visibility without the risk, the log event should still fire but with the value masked—using a placeholder like `code="[redacted]"` or a boolean flag such as `totp_generated=True`.

This finding triggers a broader security audit. The acceptance criteria mandate not only fixing this specific line but also conducting a full review of all other log calls within the `authenticator.py` file to hunt for any similar exposures of credentials or sensitive data. The incident underscores a common but high-severity oversight in development pipelines where debug logging, intended for troubleshooting, inadvertently becomes a production security leak. The risk is not theoretical; it enables a clear path for credential replay if an attacker gains access to the log aggregation pipeline.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, authentication, logging, vulnerability, code_review
- **Credibility**: unverified
- **Published**: 2026-04-06 18:27:08
- **ID**: 51794
- **URL**: https://whisperx.ai/en/intel/51794