Victim logs in using two-factor auth, gets a cookie which lets them back in without phone in future.
Attacker sends email to victim with some kind of script embedded.
Victim views email, javascript runs and sends cookie info to attacker.
Attacker uses cookie to impersonate victim.
Of course, it's been a long day here too, and I'm so far from an expert on this stuff it's entirely probable that what I just described doesn't make sense/isn't possible.
Edit: Yeah, guess what I described is more XSS than CSRF
I suspect your on the right lines: but from the XSSExploits tweets I imagine that what they might well have done is ecxecute some JS to add a new authorised phone number to the list (i.e. by just posting the new details).
That said they say they also needed a strongwebmail account for it to work so I could be wrong - perhaps they just hijacked their authed session ID into the ceo's (possibly??)
Victim logs in using two-factor auth, gets a cookie which lets them back in without phone in future.
Attacker sends email to victim with some kind of script embedded.
Victim views email, javascript runs and sends cookie info to attacker.
Attacker uses cookie to impersonate victim.
Of course, it's been a long day here too, and I'm so far from an expert on this stuff it's entirely probable that what I just described doesn't make sense/isn't possible.
Edit: Yeah, guess what I described is more XSS than CSRF