Drupal account creation overwrites existing Civi contact record data without verification

Situation: Drupal setup to allow visitors to register accounts with e-mail verification required. A CiviCRM profile exists with individual contact information set to be used for Drupal User Registration. An existing individual contact record in CiviCRM with no corresponding Drupal account.

When a visitor creates a new account in Drupal with an email address matching a contact in Civi, the profile information in Civi will be updated with the new info the individual inputs WITHOUT the e-mail verification process being completed. This means someone could feasibly edit someone else's data in Civi. For instance, if the First Name field is exposed in the profile, the visitor could enter "Hacker" as the First Name. To do this, the only thing needed to overwrite Civi contact information would be an email address of an existing Civi contact without a corresponding Drupal account.

In my opinion, this is a security hole. If Drupal is setup to require verification before allowing an individual, Civi should follow and not allow any contact data to change until the individual has been verified.