It's not a bug. It is either a backdoor placed there from the design/implementation or super lazy programming. I don't want to think it's done on purpose (Hanlon's razor).
A full account takeover is a really shitty backdoor. Just make a separate "test" endpoint that's exactly the same as the main API but requires no authentication so anyone can read anything. Perfectly deniable as just a bug and entirely undetectable from a target's POV.
If that's an intentional backdoor it's a very weird backdoor. Wouldn't you at least obfuscate things a little bit? Simply mixing up the characters in that string in some pre-planned order would be enough.
While I doubt it's an intentional backdoor, I wouldn't assume that backdoors would be obfuscated. You can't deny knowledge of an obfuscated backdoor, while an obvious one could plausibly be a simple mistake.