Hi guys , I have found a way to use the open redirect vulnerability that zendesk refused to fix and we discussed it in #101146 to bypass intristial redirect. in #101146 , @bencode said : > I tend to agree with Zendesk, we don't really see any security issues with it. We use our interstitial to warn the user and it's clear you are on a separate site.
Well , using this issue I could bypass the interstitial redirect.
The link is
https://hackerone.com/zendesk_session?locale_id=1&return_to=https://support.hackerone.com/ping/redirect_to_account?state=compayn:/ which is used to redirect to generate a zendesk session.
This can be fixed from your end , by detecting the
/ping/redirect_to_account in the