Signup with any Email and Enable 2-FA without verifying Email

It was possible to enable Two-factor authentication feature for an unverified Cloudflare account . As a consequence, a legitimate owner of the e-mail address, which was used to create the unverified account, is unable to log in or reset password to the Cloudflare account. The issue was fixed by the Engineering team by implementing access control restrictions on 2FA configuration for unverified accounts. Note: A duplicate report to credit researcher with simultaneous submission in a different program: @adozenplusone