[joeyrideout]

I watched the author's talk at Black Hat yesterday and to my understanding, yes. It's a matter of tricking the cache into storing a request with malicious unkeyed input.

i.e. The cache looks for:

GET /advertisement/1

And caches the request body and other headers as a value with that line as the key. If you can manipulate the same key to have a different value, say by tweaking a cache-specific header, then the body of that GET response (an ad) changes for everyone hitting the same cache. Certainly worth testing with the tools that have been released ;)

EDIT: The tool in question, a plugin for Burp Community + Pro: https://github.com/PortSwigger/param-miner