They both change the password, thereby granting access to the account. The security issue is really just the true stupidity of "sending password reset links via unencrypted email" - but it's already the standard so we can leverage that to offer auto-login links at no extra charge.