There is possible XSRF on Google Code’s Issue list on the staring features. Using predefined GET request anyone can star a Issue on someone who is logged in Google currently.
Tested and work in Firefox & IE (and maybe others).
Proof of concept: Do some one need this ? 
Maybe some day after Google team fixes the bug.
PS: Bug reported here.
