Broken authentication and invalidated email address leads to account takeover

Hi, team. I found a bug in twitter.com Description and POC: 1) Create a twitter account having email address "[email protected]". 2) Now Logout and ask for password reset link. Don't use the password reset link. 3) Login using the same password back and update your email address to "[email protected]" and verify the same. 4) Now logout and use the password reset link which was mailed to "[email protected]" in step 2. 5) You can see that it is possible to change the password. Here the password reset link of "[email protected]" which was old email address associated with twitter can be use to change the password of twitter account having updated email address "[email protected]". Attack scenario: If victim's previous "[email protected]" account was compromised, he decided to updated his twitter email address to "[email protected]" but before updating by mistake he asked for password reset link. As a result his twitter account will be compromised by the attacker. Fix: As soon as new email address is updated all the previous links should also get expired. If you want further information please let me know. Thanks and regards. Mohd Haji