CSRF becomes even more dangerous when you are logged into and
authenticated by a particular system. An image in any other tab in your
browser could execute a money transfer, read your emails and send them
on and many other evil things.
A really interesting case of CSRF (albeit an innocent one) occurred in 2006,
when Google released its now discontinued Web accelerator tool (GWA).
The idea was to pre-fetch websites that were linked to from the current
document, thus making surfing faster. All well and good... until you ended
up with delete links in websites that worked like this:
1 <a href="/app/delete_entry.php?id=12">delete</a>Because some applications did not check if this was an initiated deletion or
an attempt of GWA to pre-load the page, the tool deleted whole blogs and
product databases. Google did nothing wrong, but the community learned
a lot about CSRF that day.
Now, you might suppose that moving your forms from GET to POST would
make them safe, right? Partially, yes, but an attacker could still use a form
and trick people into clicking a button to make the request:
1 <form method="post" action="add_to_db.php">(^2)
(^3)
(^4)
(^5) <input type="hidden" name="comment"
(^6) value="awesome article, buy cialis now!">
(^7)
(^8)
9