Identity experts and media outlets last week revealed that the Covert Redirect Vulnerability was over hyped and inaccurately documented.
The initial vulnerability report by a Ph.D student from Nanyang Technological University in Singapore claimed OAuth and OpenID contained a flaw that hackers could exploit to capture personal data. In fact, that was not true.
The vulnerability was contained in a decades-old networking technique known as open redirect and manifested itself in flawed implementations of OAuth that allowed a web browser to send credentials back to a URL that did not match the URL that originally requested the credentials (i.e. the redirect parameter was "open" and not "explicit.")
Ping Identity's products are not directly affected by the Covert Redirect Vulnerability. Updates or patches to Ping products are not required, but general best practices include enforcing exact matching of redirect URIs.
The OAuth framework and the OpenID Connect protocol (and SAML, for that matter) are not flawed. Both specs outline ways to mitigate security issues introduced by redirects by preventing an attacker from specifying any part of a redirect_uri, and in fact, contain language that recommends such an implementation.
If you are using PingFederate as an OAuth authorization server, it is not vulnerable to this attack. To protect your overall solution, however, you should ensure that all redirect URIs to which the user (resource owner) can be redirected are not susceptible to the open redirect vulnerability. More detail is available in Ping's official security bulletin, including information on configuration parameters for three connectors.
Our PingAccess platform does not allow open redirection, and contains mitigations against open redirect at the redirect callback uri. When used with PingFederate, PingAccess acts as a reverse proxy. In this configuration, it is recommended that exact redirect_uri matching in enabled within PingFederate when it acts as an Authorization Server.
PingOne makes limited use of the OAuth 2.0 and OpenID protocols in two workflows: Cloud Desktop API Invocation and Federated Login into PingOne. Overall, PingOne performs validation on all user input and is not known to have any open redirect vulnerability.
In addition, other Ping Identity supplied components that act as OAuth clients are restricted to a specific target URI and therefore not susceptible to the Covert Redirect Vulnerability.
Overall, Ping Identity Solutions Support strongly recommends as a general best practice, that administrators enforce exact matching of the redirect URI by ensuring that the OAuth clients' registered redirect_URIs don't contain any wildcard characters.