The problem is the flow who Facebook uses when a user share a link:
- Connect with the linked site
- Download the site information
- Check that all is correct, sanitize all in order to ensure that the user don't send something that can harm to the other users, etc
- Put all the information in a form that the user will send to publish the link
- And, this is the problem, trust on the information that the user send on this form
All the developers knows that is dangerous to trust on the information that the users send, If the user want, him can send a spoofed form altering the information contained into the form values.
I reported this bug the past 30 of december (more than a month ago), but I didn't receive any response, and they didn't watch or download the demonstration video (I uploaded the video to one of my servers, and I can't find any access on the access_log file to the video):