Note that the author does not suggest that the global CSRF token can be exploited without another user's intervention; if I understood the article correctly exploiting that token for evil would still require getting someone to click your malicious link (i.e. performing a CSRF attack)
Ah, perfect, that's the part I was missing. Just sat down and watched the video demonstration (https://www.youtube.com/watch?v=KoFFayw58ZQ#t=200) – at 3:20 he navigates the victim's browser to a site controlled by an attacker. Thanks!
