Those idiot hackers are just using downlevel OBi firmware and a user name and password to circumvent OAUTH 2.0 authentication.
Note that creating an application specific password is no different from a security standpoint than sticking your regular user name and password on Obihai's website. It is not using secure access token technology.
Is it possible? Apparently. Is it approved by Google and Obihai? No. Is it going to be around for much longer? Who knows. This is the access method that Google told the third parties to stop using.