He discovered the bug on the telekom.de website, on one of the subdomains that displayed a generic landing page. The subdomain umfragen.telekom.de translates to suggestions.telekom.de, and seems to be an abandoned Web page left behind from previous site iterations.
Having brute-forced the URL, Hegazy came across an upload.php file. The researcher built a tool called Pemburu for pen testing.
He managed to find the URL, which the upload.php file sent user-submitted data. His tool went through a large set of URL variations and eventually discovered that the file sent data to umfragen2.telekom.de/upload.php. This allowed Hegazy to take a closer look at the code.
He reported about the flaw to the telco’s security team. The flaw has been patched.