This is just such an amateur hour vulnerability. Gluing strings together with no regard to what might be in them and then parsing them later...
edit: I didn't mean it as a put-down of either the article or how they found the vulnerability, but it wasn't a constructive comment either way.
It's good to add information about what the vulnerability actually was, but please don't do it in the key of putdown. We're trying for something else here.
https://news.ycombinator.com/newsguidelines.html