I offer security consulting services within the space of Penetration Testing , Ethical Hacking , Vulnerability Assessments and Security Code and Configuration Reviews

SquareUp Open Redirection

During Password resetting, I observe something, that Password token link is redirected first through subscriptions link. where 'r' is the parameter and value can be any website.
Steps To Reproduce:
1- After Password Reset email, Copy Link Address.

2- Address URI look like this: 

Video PoC: