A password reset e-mail is supposed to expire pretty quickly though, so would it really matter in practice?
The email must be able to be used at any time which means that and attacker may be able to also "use" them.
alt Hacker News
The email must be able to be used at any time which means that and attacker may be able to also "use" them.