The fact that the profile page doesn't have a "Make me an Admin" button is no defense - the attacker will be able to forge an HTTP request without any trouble.
