PW-6905: is_valid_hmac and is_valid_hmac_notification are vulnerable to timing attack
MahamdiAmine opened this issue · 1 comments
MahamdiAmine commented
Description
is_valid_hmac and is_valid_hmac_notification are vulnerable to timing attack, you should compare the hash of the HMACs instead.
jillingk commented
Hi @MahamdiAmine,
Massive thanks for bringing this to our attention. We fixed the vulnerability and added it in in our new release!
Best, Jilling
Adyen