Dan Melamed explained in his personal blog the technical details of the flaw he just found. Facebook already fixed the vulnerability.
Melamed said, what the hacker needed is to make the victim visit a link. As with the link is loaded, the attacker can now reset the password.
When a user tries to add an email address that already exists in the Facebook system, they have the option to “claim it”. When claiming an email address, Facebook did not check who the request came from. This allows an email to be claimed on any Facebook account.
The newly added email addresses can then be used to have complete access of the victim’s account.