The page doesn't do a great job at explaining the mechanism (which from a quick glance seems to involve WebRTC).
This is a better resource on this topic, which involves DNS rebinding: https://medium.com/@brannondorsey/attacking-private-networks...
DNS-rebinding also gets around the cross origin request issue, which some comments here mention.