Good. TKIP should have died a long time ago. Hopefully we can completely remove all TKIP-related code in the future! Using WPA2 with (AES-)CCMP is the only acceptable solution.
A demonstration of the attack can be seen here: https://www.youtube.com/watch?v=oTycM5mQSpQ
This probably a stupid question but what can you do with a leaked CSRF token ? Isn’t it generated freshly every time a form is rendered ?