It does not look too sensational to me, seems like an obvious attack vector against 2FA.
You don't even need to proxy everything, just have a fake login page that asks password + 2FA code, then perform the authentication within the (very short) lifetime of the 2FA code.
You would need to proxy if the 2FA code depends on something returned by the website, like the QR code I have to scan to generate the 2FA code to login into my bank account. This makes timing even harder, but still easy to do I'm sure.
Once you fooled the user (and/or its password manager) into thinking your login form is the real one, it's pretty much game over. Don't reuse passwords, use a password manager that's url-aware and common sense and damage should be limited to the minimum if anything were to happen.