Crapazon's account settings form has no CSRF token. Any page can silently change Alice's email on her behalf.