Recently SlashDot had a very important story on a major security risk that all modern web sites face: The Cross Site Request Forgery is a malicious technique that can be used to exploit the trust that web sites have on their legitimate users (e.g. cookie)A very simple example is provided in Wikipedia: http://bank.example/withdraw?account=bob&amount=1000000&for=mallory could be a URL that would withdraw 1M $ from Bob's account and put it into Mallory's. Bob may well have a cookie on his computer from his bank, still active, that would automatically authenticate him. Bob will only then see something like "Your transfer was completed succesfully!".
While exaggerating, this example shows well the fact that many modern web applications are heavily dependent on somewhat simplified authentication techniques (such as cookies). Properly crafted query sections of the URI(see here about URI structure), or script code, could then be used to enable requests from malicious entities. A slashdot user puts it well: "Repeat after me boys and girls "GET requests shouldn't change anything on the server"."
The most scary thing is that this problem is everywhere. Major websites are vulnerable, and recently YouTube and NYTimes included! Any link we click on, any image or file, could be harmful. While there are some serious preconditions that have to be met so that it evolves into a big threat, security experts believe we have just seen the tip of the iceberg. From our side, we could keep track of what we click on, but how careful can we be? (like this phishing example)
One major implication could arise if CSRF attacks escalate: It could hit on Google's PageRank algorithm. PageRank is over-dependent on hyperlink text section, because it weighs it on what the target page is all about. Perfect example: This Google search for the term "recapitasse" will bring Developer On Line on the top 10 results. This is an Italian word, never-ever mentioned here, but this blog was linked once(for the Gmail scam) with this text, and until now "recapitasse" is supposed to describe the content of that blog post.
Anyway, if quality a-tag text is essential for PageRank and if CSRF undermines it, this is a problem. It could lead to much more extensive Google bombs than we have ever experienced. Overloaded social networks(like Facebook) can also be a great place for this 'web disease'. The threat is much greater than before, because CSRF attacks do not come from malicious sites that we can keep track of. Users just do 'semi-subconscious' actions (image-button clicks) on trusted sites as they usually do. The question remains as to whether the Internet itself can keep its content clean and scam-free.
Further reading see here.
