Zerodha Authenticator Logs Expose TOTP Codes, Creating Replay Attack Risk

A critical security vulnerability has been identified within Zerodha's authentication system, where Time-based One-Time Password (TOTP) codes are being written in plain text to debug logs. The exposure occurs in the `authenticator.py` file at line 105, where a debug log statement includes the full `totp_code` as an argument. While each code is only valid for 30 seconds, the standard practice of aggregating logs into systems like Datadog, Splunk, or ELK creates a dangerous window where a malicious actor with real-time log access could intercept and replay a valid code to bypass two-factor authentication.

The flaw is a direct code review finding, flagged as a primary security concern. The current behavior logs the sensitive credential via `log.debug("zerodha_auth.totp_generated", code=totp_code)`. The proposed fix is to immediately remove the `code=totp_code` argument from the log call. To maintain operational visibility without the risk, the log event should still fire but with the value masked—using a placeholder like `code="[redacted]"` or a boolean flag such as `totp_generated=True`.

This finding triggers a broader security audit. The acceptance criteria mandate not only fixing this specific line but also conducting a full review of all other log calls within the `authenticator.py` file to hunt for any similar exposures of credentials or sensitive data. The incident underscores a common but high-severity oversight in development pipelines where debug logging, intended for troubleshooting, inadvertently becomes a production security leak. The risk is not theoretical; it enables a clear path for credential replay if an attacker gains access to the log aggregation pipeline.