Security researchers have found what they say is an entirely new kind of web-based attack, and it only targets the Ajax applications so beloved of the Web 2.0 movement.
Although the attack is not at all new, it is worth reading about if you're using Ajax and don't know what CSRF is. Jeremiah's Gmail exploit from early last year is a good example that uses CSRF for information disclosure, which is all this really is.
Being in the web application security profession myself, I appreciate the strong desire among my peers to increase awareness, but I'm not fond of the tendency to deliberately misinform people and incite fear based upon false pretenses. We should strive to offer clarity, not confusion. In this particular case, there are also some strong technical concerns to consider.
In some of the comments I've read in various places, people new to CSRF recommend checking the
Referer header as a safeguard. This does not offer sufficient protection against CSRF, because an attacker can forge HTTP headers with Flash.