'%3e%3cpath%20d='M248.027%20159.993C292.176%20159.993%20328.105%20124.1%20328.105%2079.996C328.105%2035.892%20292.191%200%20248.027%200C203.863%200%20167.95%2035.892%20167.95%2079.996C167.949%20124.101%20203.878%20159.993%20248.027%20159.993ZM213.969%2045.973C223.069%2036.882%20235.155%2031.873%20248.027%2031.873C260.899%2031.873%20272.986%2036.882%20282.086%2045.973C291.186%2055.064%20296.2%2067.154%20296.2%2079.997C296.2%2092.84%20291.186%20104.93%20282.086%20114.021C272.986%20123.112%20260.899%20128.12%20248.027%20128.12C235.155%20128.12%20223.069%20123.111%20213.969%20114.021C204.869%20104.93%20199.871%2092.84%20199.871%2079.997C199.871%2067.154%20204.884%2055.063%20213.969%2045.973Z'%20fill='%23EE4323'/%3e%3cpath%20d='M150.16%200L57.6821%20159.993H94.5381L187%200H150.16Z'%20fill='%23EE4323'/%3e%3cpath%20d='M92.478%200L0%20159.993H36.856L129.334%200H92.478Z'%20fill='%23EE4323'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_296_834'%3e%3crect%20width='328.105'%20height='159.993'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
SAT1051
ConsentFix
Summary
ConsentFix is a social engineering technique that combines ClickFix-style deception with OAuth authorization code theft. An adversary presents a fake verification screen — often impersonating a Cloudflare Turnstile or similar challenge — that prompts the target to sign in via a legitimate OAuth flow. The attack abuses a trusted first-party OAuth application (such as Azure CLI) to avoid consent prompts, making the login page appear entirely legitimate.
After the target authenticates, their browser is redirected to a redirect URI registered with the OAuth app, which generates a URL in the browser's address bar that contains an OAuth authorization code. The phishing page instructs the target to paste this URL back as part of the "verification" process. The attacker extracts the authorization code from the pasted URL and exchanges it for an access token, gaining full access to the target's account.
The original attack used a localhost redirect URI because the browser typically shows a connection-refused error and leaves the code visible in the address bar long enough to copy. However, the technique isn't limited to localhost — any redirect URI permitted by the target OAuth app can work, provided the code remains visible long enough for the target to copy it (many legitimate redirect endpoints consume or redirect away from the code too quickly to be useful).
Because the target authenticates through a legitimate identity provider and no credentials or MFA tokens are ever exposed to the attacker, this technique bypasses MFA including phishing-resistant methods such as passkeys.
A demo video explaining how ConsentFix works is given below: