The point is obvious: it would give anyone who intercepts the (plain text) email full access.

However, the price for not doing this is pretty high in terms of conversion, so as far as I'm concerned it's not a black and white issue.

If there's nothing particularly sensitive to be compromised (and that usually isn't the case at this stage), simple measures like rapidly expiring the verification URL and allowing it to be used only once is "good enough" for most sites.

There are no absolutes in security.

If the link allows you to pick a new password without knowing your current password, anyone who intercepts the email with the link would also get full access using the new password.

It's talking about email verification, not password reset systems. In other words, those types of URLs should only establish a connection between an account and an email address: they shouldn't act as a means of authentication.

Ah ok.

Aren't both of these equivalent though?

(I would think the point may be that a compromised email, doesn't provide access later. Both these scenario are equally vulnerable then?)

It would also be to make sure an attacker can't just iterate through or guess at the emailed URLs and get valid, logged-in sessions without needing to properly authenticate.

Tagged.com allows authentication through most of the emails they send to you. Frightening from a security perspective.

Great from a usability perspective!

The only thing I can think of is it allows the user to realise if their account had been compromised because the password have been changed. But I agree with you.