ASP.NET web applications that leverage Forms Authentication, ASP.NET Membership Providers, ASP.NET Role Providers, and/or ViewState encryption are vulnerable to data exposure and potentially tampering. This vulnerability can lead to the .NET MachineKey being discovered by attackers. This post briefly details the issue and provides a simple temporary mitigation technique.
What does concern me however is that there isn't a single mention of this vulnerability being disclosed to Microsoft. From what's implied in the article the vulnerability itself will be announced at that hacker conference into the wild without Microsoft being notified beforehand.
As far as damaging a site - you are correct, it depends on how the site is programmed - and that's where risk assessment comes in. The user name, and sometimes the roles are stuffed into the Forms Authentication Ticket which live in the cookie (in the UserData field). I suspect an attacker could elevate privileges or just change their UserName on a site that uses Forms Auth by decrypting the cookie, modifying the roles and then re-encrypting it with the Machine Key.
This was old recommend practice from MS - to put roles in the UserData field of the Forms Auth Ticket: