Why should that stop the misuse? Hope you have heard how some porn sites (allegedly) solved captchas using similar technique?
1. An unsuspecting user visits page of rogue site.
2. Website backend server visits accounts.google.com/sesame
and fetches the barcode.
3. The rogue site displays the barcode to the user prompting user to point the phone at it, to see the next page.
4. Rogue sites server then wait for google to send cookie, on the page they have open with google.
5. If they don't get cookie, they don't show the next page. If they get, they show the next page, but the account has been compromised.