I reported a bug to Google just a couple of days, which is very similar to this.
It allows an attack to present a user with a real Google 'account select' page with their account listed, but if they click that link it actually redirects them to another site (which you can dress up to look like the password page the user is expecting).
It is arguably worse than the previous issue, as I don't need a hoax extension, I can just manipulate the link to inject the malicious redirect behaviour.
They have triaged it and I'll probably write up a report once they are happy for me to do so.
I'm not sure it's worse, since it requires users to type their password into a non- google.com domain. Whereas the oauth phishing, everything was on google.com so it looked legit.
It allows an attack to present a user with a real Google 'account select' page with their account listed, but if they click that link it actually redirects them to another site (which you can dress up to look like the password page the user is expecting).
It is arguably worse than the previous issue, as I don't need a hoax extension, I can just manipulate the link to inject the malicious redirect behaviour.
They have triaged it and I'll probably write up a report once they are happy for me to do so.