Hi Saurabh,

The idea is simple

if you want to login to website (x) using your google account you will do this:

1) login to your account in (x) website

2) link your google account

3) now when u click on login with google you will log into your account

the attack is instead of linking my account (me the attacker) into your account (you are the victim)

so when u click the evil link my google account will be linked into your account

so i will open (x) website and press login with google

and i will enter my google account (which i linked into your account)

then i will gain access to your account :)

I hope this makes it more clear