They could be. If they have some OO Set of substrings that they check a composite login credentials string for then it is possible to accidentally have state that depends on the order of Set iteration.
Quite a few systems use the "bung all options into one configuration string, then have it parsed by this argument parser" method. And it is a reasonable method to use.
I'm guessing something there is interpreting the substring "user" as special - I'm thinking of the kind of bugs like if you type "NULL" in the textfield you'll fuck up the website, etc. Happens when people don't keep their interpreted and non-interpreted data straight.
