I am actually curious to know of cases of insecure string comparison vulnerabilities being exploited. I think there are real cases. But I tried recently to to this against a toy server over my local network, and could not get it to work without adding a delay to the comparison.