Security issue with TOTP


With a colleague, I just tested the TOTP module I have installed in my Nextcloud (Docker image ; v15.0.4). The meaning of TOTP is

What I discovered is that TOTP is not ONE-Time and is in fact re-usable.

I logged out of my web session, re-opened the Web interface using my password only, opened a web page on my colleague’s computer, entered the UID and password on that one too. After that, I entered the TOTP code in my computer and logged in. Once in with the web interface and fully loaded, I told him the TOTP value and he entered it. He then entered in a session of his own.

There should be a flag in the database or something like that to ensure that once a --ONE-TIME-- code is used, it can not be re-used.

1 Like

We are working on a solution. See for more info.

This topic was automatically closed after 46 hours. New replies are no longer allowed.