diff --git a/CHANGES/1709.bugfix.rst b/CHANGES/1709.bugfix.rst
new file mode 100644
index 00000000..7413a2df
--- /dev/null
+++ b/CHANGES/1709.bugfix.rst
@@ -0,0 +1 @@
+Use `hmac.compare_digest` for validating WebApp data to prevent timing attacks.
diff --git a/aiogram/utils/web_app.py b/aiogram/utils/web_app.py
index 192776fd..759f268c 100644
--- a/aiogram/utils/web_app.py
+++ b/aiogram/utils/web_app.py
@@ -134,7 +134,7 @@ def check_webapp_signature(token: str, init_data: str) -> bool:
     calculated_hash = hmac.new(
         key=secret_key.digest(), msg=data_check_string.encode(), digestmod=hashlib.sha256
     ).hexdigest()
-    return calculated_hash == hash_
+    return hmac.compare_digest(calculated_hash, hash_)
 
 
 def parse_webapp_init_data(