You may choose (like you actually do) to make-believe whatever you wish about the exploits' worthlessness, but you may also assume that there already were a lot of black hats out there that provided "service" relying on the recently covered security weakness.
Also, about the "Facebook's security team is one of the strongest and most sophisticated of any company" mantra, even a mediocre strategist after knowing at least something about his opponents can improve his attack based on that knowledge. Assuming a modicum of surveillance on traffic dynamic from Facebook security team's part, this may translate into hiding the signature of a brute-force attack by spreading it into space (using a botnet) and time (spreading out a little each individual trial), or into a more elaborate method.
Don't move the goalposts. I'm not saying there aren't black hats that target Facebook. I'm saying none of them will pay $15000, or even $500, for this or any other Fb bug.
"Don't move the goalposts. I'm not saying there aren't black hats that target Facebook."
Actually, you didn't limited yourself to "black hats that target Facebook", you put "he's right" tag on a pretty broad range of remarks! One of them was about the Facebook's super team of security experts (which I answered to, so I'm not sure what goal post moving you've seen, BTW), and another remark was "he would not even be able to find a seller, let alone one who would pay a lot" which I'm not sure I understand from which angle are you looking at things by concluding that "he's right". Let me elaborate a little bit. That bug had enough potential to power an account hacking service derived cash flow for unspecified number of black hats, as the way anyone in possession of something valuable would first and foremost try to use and only secondly - to sell, you know? In such context his remark doesn't even come to make much sense, so I'm not sure how "he's right" in your view.
I've read again dsacco's post and I see another nonsensical remark: "The total impact of the bug would be negligible." How do you judge the impact of the said bug? Would say, disrupting somewhere the digital social connections between some political figures and their mass of followers so they'd loose contact for a while (exactly when it maters) count as "negligible"? Let's stop talking about pranks around TMZ, let's talk about the most lucrative possible cases here. And all this in itself becomes possible because Facebook is a high value target (another fact dismissed by dsacco, whom you consider to be "right").
Finally, about "none of them will pay $15000, or even $500, for this or any other Fb bug" - if right now, it would so happen for me to be willing to pay for a Facebook account hijacking method those $500 (which BTW is a tempting figure), what value would this conviction of yours still hold?
I would say you were paying $500 for a vanity bug, and not be especially surprised.
What 'dsacco is saying is essentially factual. The places that buy vulnerabilities don't buy Fb account takeover bugs.
You might find someone in --- another part of the world, let's say --- who would offer you a couple thousand for that bug. You should know, if you're ever in a position to make that deal, that the person who is buying it from you is willing to kill your whole family to make a point, because that is the reason they are buying the bug from you.
But you aren't going to find that person, any more than you're going to easily find someone to sell a portable antiaircraft missile to.
"I would say you were paying $500 for a vanity bug"
No, it would be just an (admittedly shady) business investment.
"What 'dsacco is saying is essentially factual. The places that buy vulnerabilities don't buy Fb account takeover bugs."
You either didn't read my post or you are deliberately ignoring it. dsacco was wrong on so many aspects and so were you when supported him, as for what you're doing now... I'm not sure what to make of it!
I'm sorry, but I don't see anything in this comment that is responsive to anything I've written or that introduces any new argument for me to respond to.
Also, about the "Facebook's security team is one of the strongest and most sophisticated of any company" mantra, even a mediocre strategist after knowing at least something about his opponents can improve his attack based on that knowledge. Assuming a modicum of surveillance on traffic dynamic from Facebook security team's part, this may translate into hiding the signature of a brute-force attack by spreading it into space (using a botnet) and time (spreading out a little each individual trial), or into a more elaborate method.