Logging a user into attacker's account using password reset link

On March 26th, 2015 @shahmeer-amir reported an issue with the password reset flow for www.mapbox.com that required social engineering to exploit. We patched the issue and awarded a bounty on April 7th, 2015. Please note that this was not related to denial of service or the institution of an account recovery policy, both of which are out of scope for the Mapbox HackerOne program.