fix: use random nonce per call in AES-GCM onboarding signature (ISS-2528895)#411
Merged
Conversation
Static IV derived from the key (substr($key, 0, 12)) was reused for every encryption call, enabling keystream recovery and authentication tag forgery via the GHASH Forbidden Attack with just two captured onboarding_signature values. Fix: replace static IV with random_bytes(12) and prepend the IV to the ciphertext output (iv || ciphertext || tag) so receivers can extract the IV for decryption. Output format is unchanged (hex string), but now includes a 12-byte IV prefix (first 24 hex chars). Server-side validation at auth.razorpay.com must be updated to read the first 24 hex chars as the IV before decrypting. Partners should also rotate their client_secret as previously captured signatures remain exploitable under the old key material. Co-authored-by: ankitdas13 <ankit.das@razorpay.com>
This was referenced Jun 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes a critical AES-GCM nonce reuse vulnerability in
generateOnboardingSignature(ISS-2528895, HackerOne #3754503).$iv = substr($key, 0, 12)— the IV was always derived from the first 12 bytes of the AES key, meaning every encryption call for a given partner reused the exact same key-nonce pair. AES-GCM forbids this (NIST SP 800-38D §8.3).onboarding_signaturevalues from partner authorize URLs (exposed via browser history, Referer headers, server logs, Sentry, etc.) could recover the GHASH key and forge a cryptographically valid signature for anysubmerchant_id— without knowing theclient_secret.random_bytes(12)(CSPRNG). The random IV is prepended to the output so receivers can extract it: output format is nowhex(iv || ciphertext || tag)where the first 24 hex chars are the IV.Changes
src/Utility.php— generate fresh 12-byte IV per encryption call; prepend IV to ciphertext outputtests/OAuthTokenClientTest.php— replace hardcoded deterministic assertion (which relied on the broken static IV) with behavioral assertions: valid hex output, minimum length, and uniqueness across callsauth.razorpay.com): Update signature decryption to read the first 24 hex chars as the IV before decrypting. Previously the IV was re-derived from the key; now it is transmitted in the payload.client_secretrotation: Signatures captured before this fix remain exploitable under the old key material via the Forbidden Attack. Guidance should be issued to all affected partners to rotate theirclient_secret.razorpay-java,razorpay-node, andrazorpay-ruby(same nonce derivation flaw exists in all four).Test plan
$iv = random_bytes(12)generates a unique nonce on every callRelated: ISS-2528895 | HackerOne #3754503
🤖 Generated with Claude Code