It isn't at all clear how getting the default generic YSOD is going to generate "more data" for the attacker by repetition, unless response time is the data of interest. Is that the case here?
They don't need timing. They don't need to sniff. HMAC doesn't solve the problem. They don't use detailed errors. You should probably read their JSF paper from earlier this year to see the attack pattern they're working with.
Here is a clue: they are using ASP.NET behavior to generate a one bit signal from the target. Their attack requires many tens of thousands of requests. That's about as much as I can say.
