Today one of my team mates registered a bitbucket account using the team's email address. I accidentally clicked on the "Confirm email address" link, and the email address has been added to my account. He then asked for a password reset using that address, and successfully reset my password despite I removed the address from my account earlier.
Email address confirmation tokens should be associated with accounts, and password reset tokens should be associated with the email address and the account.
To reproduce the issue:
- add an email address to my account
- confirm it
- ask a password reset or that email address
- remove the address from my account
- click on the reset password link
An error message saying that there is no account for that email address.
Password is changed on the account which that email address is no longer assigned to.