Found an interesting use case where the orkut has missed out CSRF rules. Login to orkut as User1 . Update the status as <a href="/GLogin.aspx?cmd=logout">its good!</a> Login as User2 . Go to User1 's profile home and click on the status, you will be successfully logged out. :) Should orkut does not support anchor tags in its status ??