I am not sure I can agree with that. I almost got scammed, but isn't that my responsibility to check?
The thing is, those services really are useful. A lot of stuff that used to be complicated and required me to stand in line somewhere can now be done comfortably from home. Many good things can be abused, but that does not mean they should not be implemented. And you don't have to use it if you do not want to.
Also, I don't know how the scam works behind the login form that stopped me, but I think it would not have worked even if I had given them my info because there is 2FA - how would they overcome that hurdle?
It's an actually really good system, as the origin (aka the domain displayed in your URL bar) changes during the redirect.
The problem is the lack of user education as to what an "origin" is.
But assuming there is good user education, this is the proper way to do it. One (untrusted) origin redirects you to a trusted one with instructions to give it some information. The trusted origin asks for your authentication and tells you what the untrusted origin is requesting. If you approve, the untrusted origin only gets the very specific data it requested (and you approved) and nothing else.
The thing is, those services really are useful. A lot of stuff that used to be complicated and required me to stand in line somewhere can now be done comfortably from home. Many good things can be abused, but that does not mean they should not be implemented. And you don't have to use it if you do not want to.
Also, I don't know how the scam works behind the login form that stopped me, but I think it would not have worked even if I had given them my info because there is 2FA - how would they overcome that hurdle?