The only way they would have admin privileges is
A)the form was using GET instead of POST. The username and password fields would be presented to the Google Bug as part of the URL.
B) The session ID was part of the URL instead of a cookie.
C) They hacked the site via their Google Bug.