Simon Willison points to a report that discusses "login CSRF" attacks, where "an attacker uses CSRF to log a user in to a site (eg PayPal) using the attackers credentials, then waits for them to submit sensitive information".
I wrote an email about this to Google's security address a few weeks ago (not having seen this existing discussion) and they never replied, so I guess they don't think of it as serious (and in fact there's not much they could do about it anyway - they already display the logged-in account name prominently at the top of the page, which is all they can really do).
Here's an example page which will log a visitor out of their Google account (not sure if this step is even necessary) then log them back in to an account I created, which has Web History enabled. Any subsequent Google searches, if the person doesn't notice that the account they're logged in as has changed, will be visible to anyone who has the password to the false account.
If there was a requirement that a browser is logged out of an account before it can be logged in to a different account on the same site, then you could use security tokens to protect against the 'logout' action, the same as for any other CSRF, but that wouldn't protect anyone who's using the site anonymously (so wouldn't be logged in in the first place). It's more of an annoyance at the moment: for example, if you can get <img src="/logout"> onto a Drupal site, perhaps through a post picked up by the aggregator, then anyone looking at that page will be logged out of the site. Again, the Drupal security team doesn't view this as a problem…
Comments
All fields are optional, email address will not be shown; no HTML, URLs are automatically hyperlinked.
Do you have a reason why you say "the Drupal security team doesn't view this as a problem"? Drupal's security team usually takes all issues very seriously, and Drupal does have anti-CSRF mechanisms in place.
If you can get an image tag into any HTML anywhere, you can do all sorts of horribly nasty things to someone. That's why Drupal ships with image tags disabled in the default filter, for instance. Unfortunately if a user does need image tags then they automatically open themselves up to potential holes. So I don't know what the Sec team for Drupal, or any other project for that matter, could do about the specific example you provide. If you do, then please do let the Security team know.
The reason I say that is because I emailed the Drupal security list and (again) didn't get a reply. What they could do about this specific example is require a user-specific token on the logout URL, using the same mechanism as is used to secure form submisssions from CSRF.
What kind of horrible nasty things can you do to someone with an image tag?
Well you list one yourself, with src="/logout". :-) On many versions of IE, an img tag that points to an executable will execute that file, or that points to a JS file will execute that JS file in the context of the browser, or it could simply serve as a "Web bug" (remember those?) to inform some 3rd party site of where you are, etc. All kinds of things.
A token for the logout link doesn't sound like a bad idea, though. Please submit an issue and we'll see if we can get that into Drupal 7. :-)