Should you be able to reset a password without verifying the email address first?

Question

I just noticed with Instagram, what you can do is:

1. From the logged in Instagram app, change your email address. This will send a verification link to the new email address.
2. Verifiying the email address requires you to log in when you click the link.
3. From any log in screen (desktop browser or smartphone app), you can ask to reset your password using the new email address before you've verfied the email address.
4. This will send a reset link to the new email address, which you can use to reset the password, and then verify the new address.

So this requires that you already have access to the persons logged in instagram account (eg if they leave their phone lying around).

Is this a serious security issue or do you assume that accessing someone's phone is already the security breach?

More details here: https://thingsdavidhaslost.wordpress.com/2015/06/01/access-to-his-instagram-account/

Answer 1

Leaving access to your phone while logged in to a service is without doubt a security breach, but I also see a few screw-ups from the part of Instagram here:

1. Not asking for the password when modifying the email address associated to the account
2. Sending the verification for the new email address to the new email address, instead of the old email address (or both old and new addresses)

Point #1 should be implemented in any environment which is minimally security-aware. If not implemented, point #2 serves to mitigate this kind of attacks.