I forgot my del.icio.us password so I went to the reset password function. It showed me the email address that I had used to sign up to del.icio.us with and an option to change that address. I changed it to something else without needing to enter a password or anything. I got confirmation of the change sent to both addresses. Then, I went back to the reset password page and clicked the link for del.icio.us to send me a password reset link. It happily sent it to the new email address that I'd entered.
So what's to stop anyone from going to del.icio.us, changing the email address to my account and then getting access to change my password? WTF? Tell me what I'm missing here?