The latest threat to website security is the Cross-Site Request Forgery (or CSRF - pronounced ’sea surf’) attack. Virtually every website with user accounts is affected by the attack, since it exploits the way the internet works rather than any particular problem with the website.

To carry out the attack, the attacker places a form on his website which submits a form to some other target website (e.g. an internet bank). This form will typically do something bad (e.g. transfer money from a user’s account into the attacker’s account). The attacker will not be able to actually use the form to do the bad thing, since the target site’s security will usually prevent it.

However, the attacker can place the form on another website and disguise it as a normal link (via CSS, etc.). He may be able to trick a visitor to the site into clicking on the link. If the user happens to be logged into the internet bank (via cookies), the form will be submitted to the internet bank and the user’s cookie sent with it. The bank will see this and allow the transaction to take place. Now the user has unwittingly authorized the transaction and the attacker has stolen his money.

Virtually no websites protect against this kind of attack. To protect against the attack, your site should use one-time tokens in its forms. I’ve written about how to do that here:
Preventing Cross-Site Request Forgery attacks with one-time tokens.