But that's not going to stop Facebook from publicizing that they will. You're glossing over the details and attributing an aire of "old news" to the bug. Well, yes / no. If he didn't find such an ancient bug but instead someone devious did, they could have dumped all the private user photos. If that happened, what do you think the financial implications might have been?
How much do you suppose blackhats would pay for instagram's ssl keys, mobile app signing keys, push notification keys, etc?
Yeah, the researcher went deep into the grey area, but I find Alex Stamos's reaction barely short of unbelievable - it's almost as though he's so new to the internet he's never heard of the Streisand Effect... (Either that, or he's just so accustomed to bullying and intimidating people who might embarrass him that he's now got that corrupt politician "Waddaya mean I'm 'abusing my power'? We grant multimillion dollar contracts to old school buddies all the time? What's the problem?" look on his face.)
I was thinking more of the Zerodium/Gleg/BoozAllenHamilton class of buyers - who'd on-sell it to, say, the Egyptian or Thai Government, rather than run-of-the-mill carders or identity thieves.
(But yeah, I'm perfectly happy with my life where I have no real understanding of how the black market for this kind of thing works...)
How does that matter in any way? This was a series of fuck-ups. Facebook wouldn't pay $1M to anyone, ever, since it would encourage this kind of behaviour. It was the "zero-dollar bug that lead to the million-dollar fuck-up" though.
I think the point though, is that it's more than just a single old Rails YAML bug. The privilege escalation shouldn't have been there. Their infrastructure would still be vulnerable even without the initial exploit.
