If you can get the exception thrown only when another process has a particular state, or if that other process's state can affect the timing of the exception throw, then that's information disclosure.
Typically these are are hard to pull off, I remember a case a number of years ago where the proof of concept private key exfiltration came months or maybe even a year after the vulnerability was shown, and even then I believe the process took minutes or perhaps hours to run. This stuff isn't magic, it's really hard, but that doesn't mean it's not possible.
Typically these are are hard to pull off, I remember a case a number of years ago where the proof of concept private key exfiltration came months or maybe even a year after the vulnerability was shown, and even then I believe the process took minutes or perhaps hours to run. This stuff isn't magic, it's really hard, but that doesn't mean it's not possible.