Login CSRF is low-risk and high-risk

Login CSRF allows an attacker to force a victim to log in to an attacker-controlled account. It often shows up in vulnerability scans and bug bounties. If you see a Login CSRF vulnerability, should you fix it?

As defenders, we should only spend time fixing Login CSRF if attackers can use it to get something they want. For example, in the diagram below, the attacker wants to know that the victim searches for “llamas” on Google.

CS142: Web Applications — Stanford University