Your comment does not reflect how vulnerability sales work in the real world.
In the real world, vulnerabilities are sold to blackhat groups who want to make a profit by attacking as many websites as possible. Generally, these websites will have valuable credit card or other information that can be stolen from a compromised server.
Compromised user accounts (not even the server! just users!) on a single website do not constitute a valuable target.
The idea that TMZ would pay a significant amount of money for this is a Hollywood plot, nothing more. Vulnerabilities are not valued highly just because you can come up with a contrived scenario in which it would be valuable to someone for some reason.
This is a market, and like any other market there are buyers and sellers who dictate supply and demand.
He's not wrong, you're just misunderstanding him. He's not saying there aren't "valuable" or "interesting" Facebook accounts. He's saying that there aren't enough Facebook accounts with immediate drop-in value to an existing and lucrative criminal enterprise to create a competitive market for Facebook bugs.
I would agree, being that I cannot immediately detail how these Facebook accounts might be useful, but any information is useful, especially credentials.
(Valuable != "immediate drop-in value")? So, he's saying the accounts aren't valuable, but they have value? The subtlety is lost on me...
The info might be useful to someone, but not to the people who are buying vulnerabilities on the black market.
Imagine going to a tech trade show and setting up a stand for your lumber business. What you're selling has value and is useful, just not to the people you're trying to sell it to.
Let's assume the position of a spammer or ~0-day blackhatter... access to the accounts of the most popular website in the world are not of interest? (You could post a URL and have millions of people click it because they trust the poster.)
Is that a retort or simply an unrelated observation?
Edit: My intent was to understand your perspective (and argue...), but this comment goes over my head, and it seems as though it was a thinly veiled insult.
What I'm understanding here is, that while it might be profitable to someone to have an exploit on hand that they can use, the actual work that goes into turning a profit from the exploit may be me costly enough that its not worth pursuing.
Not sure if you read Cryptonomicon, but there's a part there where Randy Waterhouse finds a crap load of gold in the middle of a jungle and then rationalizes that there's no easy way to get it out of there, making it worthless at that moment. That gold has value, but no liquidity.
This is a forum focused on the startup community. The difference between the merely-useful and the truly-marketable has been discussed ad nauseum on these pages, as that difference makes and breaks many startups.
But what can you really do with the Facebook login of, say Obama?
Not provoking WW3, that's for sure.
The only thing you can realistically create is a PR kerfuffle for Facebook, but considering the way to spread it would be (wait for it) on Facebook itself, there's not much money is this.
You simply log into the Bloomberg/AP/NYTimes account, post some fake economic or political news, and then call in some options you purchased the week before.
If done intelligently, this is incredibly difficult to trace. There is risk (rather than a straight-up sale), but the expected returns are probably an order of magnitude higher.
>You simply log into the Bloomberg/AP/NYTimes account, post some fake economic or political news, and then call in some options you purchased the week before.
It would likely be far cheaper and easier to execute something like this via social engineering than using an actual exploit. I'm reminded of the time Twitter user @m had his handle stolen because Apple gave up some personal info.
Given that there are likely 100s if not 1000s of FB users who may have access to Bloomberg/AP/NYTimes official page, figuring out in an automated fashion of who can be easily socially engineered isn't likely worth 15k.
Just because this isn't the typical mass vulnerability SQL injection or XSS attack on a major framework doesn't mean it's basically worthless ($15k or less).
The amount of damage that could be done to Facebook's reputation is enormous, not to mention the value of the information that could be stolen.
It all really depends on how fast FB can service the requests and how long it takes for them to notice and shut it down. Push your priority list off to a worldwide farm and watch the accounts pop out.
How long until FB would have it shut down and the affected accounts locked out?
The problem is that there's no half life. The bug dies instantaneously once discovered. It's not like 3/4 of the Internet runs "old Facebook" because they forgot to update it.
In the real world, vulnerabilities are sold to blackhat groups who want to make a profit by attacking as many websites as possible. Generally, these websites will have valuable credit card or other information that can be stolen from a compromised server.
Compromised user accounts (not even the server! just users!) on a single website do not constitute a valuable target.
The idea that TMZ would pay a significant amount of money for this is a Hollywood plot, nothing more. Vulnerabilities are not valued highly just because you can come up with a contrived scenario in which it would be valuable to someone for some reason.
This is a market, and like any other market there are buyers and sellers who dictate supply and demand.