Missing Best Practice in OTP Validation Fixed in Zoho Accounts

Zoho is an Indian web-based online office suite containing word processing, spreadsheets, presentations, databases, note-taking, wikis, web conferencing, customer relationship management, project management, invoicing, and other applications developed by Zoho Corporation, a California-based company.

They manage a whole suite of business applications which supports various 3rd Party Identity providers OpenID integrations for the user authentication. To further strengthen the authentication, you can enrol a Two Factor Soft Token like Google Authenticator or Free OTP among others which generate the OTP for login use.

The standard login flow validates the user’s identify through the Third party Identity provider using Oauth2 and follows it up by prompting the user to enter the OTP generated by the Soft Token / Mobile App.

As a security researcher I identified a vulnerability which if exploited could compromise the security provided by the 2nd Factor. The Vulnerability that existed in the system was due to a missing best practice of insuring that the valid OTP is accepted only once during the duration of the token lifetime. Generally speaking, for many systems it is an intended design of time-based OTP validation engines to allow a short period of time gap during TOTP validation. It is designed this way to ensure better usability for the end users, however Zoho Accounts was allowing the user to login successfully by using the same OTP multiple times during this time gap. The issue was researched, documented and shared with the Zoho Security Team, which promptly acknowledged it as an issue (ZVE-2020–0049) and after some rounds of information gathering with me the Zoho Security team set out to address the issue within a reasonable time. The issue as of date of writing this article has been successfully addressed, patched and validated.

The Video below showcases the vulnerability in details