[netcorps]

The same type of "attack" can be run against Amazon and most onlineshops that base suggestions on your product viewing / browsing history. So just embed a link to an "interesting" product (e.g. adult toys) in any website and users next visiting amazon will see very odd suggestions. There is not much they can do against this as they still want to count visits on profiles from people coming from Google where the URLs will not hold a valid CSRF token in them.

Only tracking visits when the page UI loaded and preventing the page from being embedded in the iframes via security headers (if only these were supported in a more consistent way) would help address this. Not worth the effort.

This would only become an interesting attack vector if many visits to your profile bumped your credibility in any way.