I think it's actually more limited than that ... they have to be able to modulate the response body through a request, which sounds really f'in difficult to do with a properly designed web application.
I'm pretty sure they need a server that responds to POST form requests with user-specified unchecked data from that form, in addition to secret data the attacker actually wants. And the more I think about it, the more I wonder how existing CSRF protections wouldn't block that already.
I really wish I could find more details on this attack; I like Ars Technica for general news but the technical details are lacking here.
Most forms maintain the data that was entered by the user when there is a validation error. Say the attacker is after csrf token they could just use one of the fields in the form for entering their guess and it will be included in the responce.
You could do this more easily if the page included data from the GET query, something like a name or a search query or something like that, which gets echoed in the response.
I'm pretty sure they need a server that responds to POST form requests with user-specified unchecked data from that form, in addition to secret data the attacker actually wants. And the more I think about it, the more I wonder how existing CSRF protections wouldn't block that already.
I really wish I could find more details on this attack; I like Ars Technica for general news but the technical details are lacking here.