Philipp Lenssen writes about a vulnerability Dwayne C. Litzenberger exposes utilizing "Cross-site Request Forgery (XSRF)" with Google. He goes on to explain how any webmaster could create a page to change Google's default language.
Just imagine how confusing it would be to see everything on Google as Pig Latin without doing anything to deserve it. It's scary how easy it is -- Philipp demonstrates how he created a webpage with a hidden iframe to do exactly as Dwayne explains.
Not only is it disturbing this can be done, but it's even worse that this vulnerability has been around since 2003 without a fix as Ionut points out.