Forget password link not expiring after email change.

I found a token miss configuration flaw in chaturbate.com, When we reset password for a user a link is sent to the registered email address but incase it remain unused and email is updated by user from setting panel then too that old token [reset link] sent at old email address remains valid. #A better explanation 1- User use reset feature to get reset link [Email : [email protected]] 2- User came to know about his old password so remain the link unused and the token not expires 3- Now User changes his email from control panel [New email : [email protected]] 4- But the old reset still remains valid after email change In-case an attacker able to get access to user's old email account he can hack his chaturbate account too via that link, so expiring the token at email change will be a better practice ## Impact The attacker can still change the password if victim thinks his/her account is compromised and decided to chnage his email