A timing attack is essentially using statistics and a large number of requests to determine certain pieces of information by brute force. For example, let's say you want to break into somebody elses account on Example.com. Example.com happens to be susceptible to timing attacks, and we're going to abuse it.
Let's say the internal string compare method of whatever language Example.com is using does a "short circuit compare" when comparing strings. Maybe the code looks something like this:
def is_equal(source, dest):