Light meaning the damage is minor, but still a CSRF. You could delete all scheduled e-mails, this is how it used to work:
If you go to Google Analytics->My Customization->Email.
The following call is not protected:
This works even without the pdr parameter. So you only need to know the id and you can iterate with emailId from 0 to whatever, deleting all the scheduled emails.
Following is a plausible scenario on how you can get the id and execute the CSRF at the same time:
- Attacker builds a page that extracts from the Refere the needed id and using the id iterates emailId from 0 to n issuing unprotected delete email calls like the one above.
- Attacker makes sure he visits the victims site from his attack page.
- Victim opens Analytics->Traffic Sources->Referring Sites.
- Victim clicks on the link to the attacker page thus setting the referrer to something like this:
- The attacker page deletes all data from Scheduled Emails.