There's no vulnerability per se, but I think the Salesforce UI is pretty confusing in this case. It looks like a login page, but actually if you fill it in, you're granting an attacker access.

Disclosure: I work at Google, but don't have much knowledge about this case.