<img src="https://mail.google.com/mail/?logout&hl=en" /> will log you out of your google account. But at least other functionality like sending messages seems to be protected?
Google does not consider this to be a security vulnerability (or at least not one they feel they can deal with). See <a href="http://www.google.com/corporate/rewardprogram.html" rel="nofollow">http://www.google.com/corporate/rewardprogram.html</a> (Logout cross-site request forgery is the section to look for).
Taking steps to prevent malicious logouts would mean that you're creating cases where a logout will not succeed. This opens the possibility of having a bug that prevents people from logging out at all, even if they want to.<p>Would you rather have a bug that allows logouts, or a bug that prevents them?<p>That said, I would love for Facebook to put this snippet in their footer.
It's definitely a bug, but I'd be shocked if they didn't know about it (and thus accept it). Its net result is to make Google accounts <i>more</i> secure (if more annoying to use).<p>Google products are pervasively checked for CSRF, in case you were worried that this was a worrying sign. I'm sure they have CSRFs, but not because they don't hunt them down.
There's probably a reason it's so unprotected (though probably not a very valid reason).<p>Writing CSRF-safe logout would mean that you can't have an href to a static link, and you'd to implement some sort of unique id/key and/or a form post behind the scenes.