Yes, and that's not what people are reporting flaws in. The reports are "this daemon accepts arbitrary code and then runs it!"
$ login -n root
Login incorrect
login: backdoor
No home directory specified in password file!
Logging in with home=/
#
I don't agree with the interpretation that Sam tried and failed to login as root, and THEN tried to login as a different user, backdoor. Because if that's what happened, shouldn't there be another $ prompt before he types `backdoor` and gets the #? It seems to me that's an unobfuscated password field and `backdoor` is the password.