Skip to content

Gas Auth: Gaslighting the masses to take over their accounts

Posted on:July 30, 2023 at 05:37 PM


Due to incorrect wording in Microsoft’s OAuth consent screen, a service that claims to be accessing basic information can instead gain permanent access to your Minecraft account. We highly recommend visiting and revoking access to unfamiliar or obsolete connections.

The Issue

This is a rather simple wording issue. In the OAuth scope for Microsoft permissions, Microsoft is understating how much information applications are given when connecting your account to a service.

(In this, we will be using MultiMC as an example. The real MultiMC is safe, but the attacker can name the malicious app anything, including reusing name of a safe app! Do not assume because there is a trusted name that it is by a trusted developer.)

Microsoft OAuth Prompt

This can be very dangerous if you accept this prompt even once, as the access tokens will not get revoked until 48 hours pass. You currently cannot do anything to revoke them, other than wait 48 hours.


Mitigation of this attack is completely up to the user until Microsoft releases a fix.

Do not give access to “basic Xbox Live information” unless you trust the application.

If you believe you have done so in the past, please confirm that the apps you’ve given access to are trustworthy and are related to services you actively use:

Official Solutions

There is no official solution from Microsoft at the time of this blog post, and we are not expecting one anytime soon due to Microsoft’s continued ignorance of this issue.

Usages of OAuth phishing in the wild

We have generally seen it being used in the Hypixel Skyblock community, with the intent of stealing user’s accounts for in-game currency or rare items. Other notable usages are;

How you can report these malicious apps

Message for Microsoft

Please change the Xbox Live scope descriptions. Add a very clear warning that this scope can be used to obtain access tokens.

Revoke access tokens generated by an app when access has been revoked from said app and revoke the tokens when a password is reset. As it currently stands, users are giving up access to their accounts for at least 48 hours, even if you immediately revoke access from the malicious app.

Initial Timeline

Please note that all timestamps are based on GMT+10, an Australian timezone.

On the 28th of July 2022,

A user going by the name of “ChiefChippy2” (We will refer to them as Chippy) contacted Ada and Gildfesh (the developers of Nodus) to discuss this exploit and ask how it should be handled. Chippy was told to report it to Mojang.

Chippy messaging Ada

Later that day, Chippy created a ticket through Microsoft’s bug tracker, Mojira, explaining the issue. The private Mojira ticket’s ID is WEB-6006.

A week after the ticket’s creation, Chippy alerted a Mojang employee about the ticket through the SaveMC Discord server, in a channel that the employee was frequently active in.

By December 10, 2022

Attackers had started using this issue in the wild, mainly in the Hypixel Skyblock community. An update had yet to be received from Microsoft on this matter.

On December 28, 2022

The YouTube channel No Text To Speech made a video about the issue.

On March 14th, 2023

As it began approaching a year since the issue first emerged and Mojang still hadn’t acknowledged the issue, Gildfesh made the decision to further pressure Microsoft into fixing the issue.

Gildfesh obtained permission from the YouTuber LiveOverflow to demonstrate the exploit on him, as part of LiveOverflow’s Hacking Minecraft series.

A successful attempt done on LiveOverflow’s account by the Nodus team can be viewed here;

On April 3rd, 2023

LiveOverflow contacted Microsoft Security Response Center (MSRC) after seeing the extent of the issue and having it used against him. The MSRC case number is VULN-097281 (This would later be updated to MSRC-78760)

On April 18th, 2023

LiveOverflow received this from the MSRC team, saying they confirmed the issue and are discussing how to fix it.

"still waiting btw" with the attached screenshot

On June 1st, 2023

Mojang announced changes to the Game Service APIs. Due to these changes, a manual review was required for future API usage. Apps that were already setup with the old system would continue to function as normal. If you wanted to create a new phishing app, you would have to try and get through whatever the manual review process is by lying about your intent.

On July 30th, 2023

TheMisterEpic released a video informing his audience of the issue with help from the Nodus team.

After this video, MMPA deemed the issue as declassified and decided it was better to inform the users instead of waiting for a patch, which led to the release of this blog post.



Crowd Favorite

OH MY FUCKING GOD @eva the moment we polish this up the site to fix this HAS WENT DOWN @Gildfesh @Ada THE CONSENT SITE IS DOWN

- IMS, 2023