ConsentFix attacks abuse GitHub OAuth tokens to bypass authentication

Overview of the ConsentFix OAuth attack

ConsentFix is an advanced OAuth abuse technique where attackers gain persistent access without stealing credentials or triggering authentication controls.  

By manipulating users into granting OAuth consent to malicious or compromised applications, threat actors obtain valid access tokens that allow API activity to occur through trusted integrations.  

Because this access is granted through legitimate authorization workflows, MFA, passkeys, and phishing-resistant authenticators offer no protection once consent is approved.

Technical analysis of GitHub OAuth token compromise

Tactics, Techniques, and Procedures (TTPs)

• Credential theft

• OAuth token reuse

• Supply chain compromise

• API abuse

Vendors
Primary Vendor:

• GitHub

Secondary Vendors:

• Federated SSO Software/Resources

ClickFix-style social engineering is already widely documented. ConsentFix represents a more advanced evolution of this technique.

In these attacks, threat actors compromise a vendor’s GitHub environment and obtain OAuth tokens associated with trusted integrations. Those tokens are then used to access downstream customer environments at scale. Because the access occurs through legitimate OAuth relationships, customer-side authentication controls are bypassed entirely.

ConsentFix delivery methods vary between campaigns. Rather than focusing on delivery, it is more important to understand the impact.

Once a victim is manipulated into granting consent, no additional credentials are required. MFA is not triggered. Phishing-resistant authenticators and passkeys offer no protection once consent is granted. At that point, access is persistent and largely invisible.

API calls are made on behalf of authenticated users, granting attackers full access to organizational resources. The breadth of these attacks can span to extraordinarily broad levels depending on the victim’s access.

Attack flow

ConsentFix campaigns typically follow a repeatable pattern, though individual steps may vary.

Let’s focus on the core of each campaign.

Attackers initiate contact using their campaign method of choice. This may include phishing, vishing, smishing, spear phishing, malvertising, watering hole attacks, or similar social engineering techniques.

The victim is then redirected to a legitimate SaaS authorization page that presents a consent request. The permissions requested are framed to resemble standard integration workflows, making it difficult for users to distinguish from legitimate requests.

Once consent is granted, attackers receive authorization codes from the compromised SaaS application. These codes are used to generate OAuth session tokens, providing ongoing access to the victim’s environment.

The resulting access tokens allow attackers to perform API calls as the user, inherit all granted permissions, obtain read and write access, and establish persistence. From there, data exfiltration and follow-on compromise become trivial.

Business impact and organizational risk

The impact of ConsentFix attacks is often significant. Organizations may experience exposure of CRM data, unauthorized API access, downstream compromise of connected SaaS environments, data exfiltration, intellectual property theft, and commercial fraud.

Because access is granted through trusted integrations, detection is often delayed.

Mitigations and limitations of OAuth security controls

Mitigating ConsentFix-style attacks is challenging because they abuse legitimate OAuth workflows rather than exploiting technical vulnerabilities. Once consent is granted, traditional security controls are often bypassed entirely.  

While no single mitigation can fully eliminate this risk, a layered approach can meaningfully reduce exposure, limit attacker persistence, and constrain the impact of a successful compromise.

Short-lived OAuth tokens can reduce exposure windows, but they do not invalidate previously granted consent. Attackers can reauthenticate silently, while increased reliance on refresh tokens introduces new risk. Not all SaaS platforms support granular token lifetime controls.

Strict scope limitation reduces potential damage, but overly restrictive scopes can disrupt legitimate workflows. Users may still approve dangerous consent requests, and scope enforcement varies widely between vendors.

Secret rotation helps protect future access but does not mitigate abuse of already-consented OAuth applications. Frequent rotation increases operational overhead and risk of service disruption.

Monitoring third-party integrations requires mature identity telemetry and API visibility. High volumes of legitimate activity can obscure malicious behavior, and historical insight into consent grants is often limited.

Vendor risk management helps, but vendor security posture can change over time. Questionnaires rarely capture OAuth abuse risk, and enforcement authority is limited after onboarding.

FAQs

What is a ConsentFix attack?
ConsentFix is a social engineering technique where attackers trick users into granting OAuth permissions to malicious or compromised applications, allowing persistent access without stealing credentials.

Why doesn’t MFA stop ConsentFix attacks?
MFA only protects authentication. Once a user grants OAuth consent, attackers can authenticate via tokens without triggering MFA challenges.

Are passkeys or phishing-resistant MFA effective against OAuth abuse?
No. Phishing-resistant authenticators protect login events, but OAuth consent bypasses authentication entirely once approved.

Why are OAuth token compromises difficult to detect?
OAuth activity often appears legitimate because API calls are made using valid tokens and trusted integrations, blending into normal application behavior.

How can organizations reduce OAuth abuse risk?
Reducing risk requires limiting third-party integrations, monitoring OAuth consent grants, enforcing least privilege, and implementing zero trust controls to prevent post-compromise impact.

‍