"Oh you are logged in on your phone? Lets zoom there"
This is the exploit.
The technical details dont really matter. Webservices are extremely difficuly to make secure if you cannot trust a legitimate users computer who is legitimately authenticating.
The key extraction could be seen as a vulnerability. Likely an oauth token that the webservice passes to the browser, which passes it to the auth service, then the auth service passes a new token to the browser, which then passes to the webservice which verifies the token then starts an authenticated session.
There will be a reason that keys are (im guessing, as this is the only way it can be leaked to screen sharing) passed as query parameters. Likely load balancers operating on SNI, or its to rely on basic browser/headers to control the authentication flow, instead of having to have specific browser code (ie javascript) to take the key and pass it as body data in a post request without the users intervention.
Unfortunately it is probably the most secure way of doing it given the restrictions of http, browsers and ease-of-use-for-users.
The lesson is "if you are dealing with a stranger and : you have a bad feeling, you are put under emotional stress, time deadlines, any kind of pressure. STOP."
Thats how scam/phishing etc works. It engineers you to dismiss any red flags that would normally make you stop.
Sometimes scammers get really lucky and hit you when you are expecting legitimate contact.