I think the trick here was to prompt the user with a fake oauth screen. Many legit apps show the oauth screen using a web frame inside that app. It is absolutely stupid that it is still a common occurrence.

If you need to enter your credentials when using sign-in-using-xxx, be VERY cautious. Even if you have 2FA enabled, the fake oauth screen can just ask you for the 2FA code. You have no way of knowing whether the login page is keylogged or hijacked.

> Even if you have 2FA enabled, the fake oauth screen can just ask you for the 2FA code.

Not all 2FA is “enter a code”; it's a lot harder for a fake oauth screen to send a request to your registered authentication device.

EDIT: this doesn't really help, as a reply points out. OTOH, separate side channel verification of logon from unexpected devices does.

Is it? Couldn't the backend (or even a human attacker) just type the credentials you provide into the real login page, giving you the "tap yes" push notification just the same?