There is a need to fix the vulnerability poised by the Zendesk ticket rating URL/page. An interceptor page can submit rating on user's behalf without user's consent. Rating is submitted for the last of the two rating links, which mostly is for 'Bad' rating. While it impacts rating calculation, it can be exploited by the organisations to get +ve ratting by simply switching the position of the two rating URLs, i.e. placing +ve rating link afterwards.
A workaround by Zendesk (https://support.zendesk.com/hc/en-us/articles/115012836948-Why-am-I-receiving-unexpected-bad-satisfaction-ratings-) says that please replace the rating placeholders, specific to rating type to one that doe snot pre-select rating, when clicked, which defies the purpose of having two separate links in ticket.
A permanent solution should be provided by Zendesk, e.g. captcha etc. to solve this problem.
Post is closed for comments.