"Google has fixed a vulnerability in their Gmail web based email
service which would have allowed internet attackers to steal mail
messages from users without being noticed.
The attack works by forcing a logged-in user to add a mail
filter to their Gmail account, thereby allowing their mail to be
forwarded to an external mail address controlled by the attacker.
Because the Gmail service did not adequately verify the origin of such
requests, it was possible for attackers to create their own web pages
that used JavaScript to automatically make such requests on behalf of
their victims. In essence, a Gmail user would visit one of these pages
and have their account compromised without necessarily realising
anything is awry. Only close inspection of the Filters tab in the Gmail
Settings menu would reveal what had happened. "
The CSRF FAQ: Cross-site request forgery
Article Link: http://news.netcraft.com/archives/2007/09/30/g..
