Site is in German. Google Translate has given me an idea as to the content of article but I'm still a little confused about how the timing attack works. Is someone able to explain this better please?
The author created a number of "Promoted Posts" on Facebook, for different age groups and relations. Then they send a series of requests to FB on behalf of the visitor. FB rejects them, but because they amount of time they take varies depending on whether they would see the promoted post or not, the site owner can use the time that FB takes to determine if their visitor would have seen the promoted post—and thus, whether they meet the demographic criteria for it. In my case, the promoted post that the site owner created to show to 36-year-olds took longer than the one for 35-year-olds and 37-year olds. Thus they concluded (correctly) that I'm 36.
It measures the time a request to Facebook requires (which is exposed by the API, even if content, content size, ... are not). Facebook requests that a user is not allowed to see return quicker, so you can test if a particular post is visible or not to the visitor. combined with the ability to create targeted Facebook posts, that are limited by Gender, age and/or geographic location, you can find out details about the user you shouldn't be able to know.