AES-GCM (Galois/Counter Mode) is an authenticated encryption algorithm that provides both confidentiality and integrity. However, when implemented insecurely — for example, with a weak key size (AES-128 instead of AES-256 in high-security contexts), with predictable nonces, or when ciphertext and authentication tags are not properly verified — attackers can perform token tampering or truncation attacks.

In such cases, adversaries may alter encrypted tokens (e.g., session tokens, password reset tokens, API credentials) without detection, or exploit truncated authentication tags to bypass integrity validation. This can lead to unauthorised authentication, privilege escalation, or data disclosure.

Remediation

• Use strong key sizes (AES-256-GCM preferred) for high-security tokens.
• Always enforce full authentication tag validation — never truncate tags to reduce size, as shorter tags significantly weaken integrity guarantees.
• Ensure nonces are generated securely, uniquely, and never reused across encryptions with the same key.
• Avoid rolling custom crypto; use well-vetted libraries that correctly implement AES-GCM and enforce full authentication tag checking.
• Regularly rotate keys and revoke any tokens suspected of compromise.
• Apply defence-in-depth: combine encryption with strict access controls and session expiry.