What I meant is that the user needed to load a flash payload and be logged in properly. The data harvesting happens client-side. The vulnerability itself is server-side, yes, but computers are faster at copying data than engineers are at figuring out what's going wrong. The data you could potentially harvest with an exploit like this, given good planning and enough time to affect a large amount of people, is definitely worth quite a bit of money. This vulnerability could even have helped to make a very convincing phishing attack, which, again, properly executed, leads to very valuable data.

It's not remote execution, but I still think it's valuable.