Let's go back to the Facebook example. Josefina is a Facebook user, and she accessed Facebook using her username and password. Facebook created a session ID, and stored it in a cookie, which is managed by Josefina's browser. A week later, Josefina accessed Facebook again, but this time, Josefina did not enter her username and password. The browser sends the session that it has in the cookie to Facebook, and Josefina could access her account.

Josefina used a game in Facebook that had an external link. This means that the business logic Josefina is interacting with does not reside in Facebook's servers. After finishing the game, Josefine came back to her account and noticed posts on her wall about Viagra. All of them were posted by her, but she did not do it. What happened?

The game played by Josefina used the information stored in the cookie to post spam on her wall. In Facebook's eyes, this is a completely valid action.

In simple terms, this is a CSRF attack, without big consequences, but just imagine the impact if an online bank, a casino, or a trading application, allowed a CSRF.