From ddcedadfbde745965f7da03f5e7bcfbd31cc7614 Mon Sep 17 00:00:00 2001
From: Slava Terekhin <153532746+iSlavok@users.noreply.github.com>
Date: Sat, 19 Jul 2025 16:17:27 +0500
Subject: [PATCH] fix(utils): use hmac.compare_digest for secure WebApp
 signature validation (#1710)

---
 CHANGES/1709.bugfix.rst  | 1 +
 aiogram/utils/web_app.py | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)
 create mode 100644 CHANGES/1709.bugfix.rst

diff --git a/CHANGES/1709.bugfix.rst b/CHANGES/1709.bugfix.rst
new file mode 100644
index 00000000..7413a2df
--- /dev/null
+++ b/CHANGES/1709.bugfix.rst
@@ -0,0 +1 @@
+Use `hmac.compare_digest` for validating WebApp data to prevent timing attacks.
diff --git a/aiogram/utils/web_app.py b/aiogram/utils/web_app.py
index 192776fd..759f268c 100644
--- a/aiogram/utils/web_app.py
+++ b/aiogram/utils/web_app.py
@@ -134,7 +134,7 @@ def check_webapp_signature(token: str, init_data: str) -> bool:
     calculated_hash = hmac.new(
         key=secret_key.digest(), msg=data_check_string.encode(), digestmod=hashlib.sha256
     ).hexdigest()
-    return calculated_hash == hash_
+    return hmac.compare_digest(calculated_hash, hash_)
 
 
 def parse_webapp_init_data(