Well, try the demo. The google login works with a mechanism on googles servers asking you explicitly to grant access to the referring site. If the user doesn't check the address on the target ... well ... :/
I've spotted another weakness though on the facebook login. The username's are generated as facebook_$firstname, which will lead to duplicates on big sites quite fast.
I'd like to see a mechanism asking the users to chose a username.
I think this is a problem. Lot's of users just type www.example.org in the google and click the first link. they hardly know what the address bar does.
One way to look at it is: stupid user, you did it to yourself.
Another is: lots of people will be fooled, maybe we should rethink.
I've spotted another weakness though on the facebook login. The username's are generated as facebook_$firstname, which will lead to duplicates on big sites quite fast. I'd like to see a mechanism asking the users to chose a username.