Facebook has a major loophole that allows nefarious users to get around its strategy to stop fake news.

The social media giant has been taking its fight against misinformation and fake news more seriously in recent years. The company has taken action against malicious accounts spreading disinformation. Its updated its policies to keep misinformation off the platform. Studies have even shown that the steps Facebook has taken are working. That’s all good news!

However, a recently discovered loophole proves that Facebook CEO Mark Zuckerberg and the rest of his company still have a lot more work to do.

Mashable has learned of glitch in Facebook Groups that allow Facebook Pages to easily create and spread fake news and misinformation via a feature that was previously shut down 2 years ago: editable link previews.

Link previews are the embeds that pop up when you post a link on Facebook. They usually contain a large thumbnail, the main URL where the link is from, the title of the post, and a short description of the article. Facebook auto-populates this information from the actual post image, headline, and description on the website being linked. It’s a visually pleasing way to show what would otherwise be a textual link.

Below is an example of a link preview for this CNN story on independent presidential candidate Howard Schultz dropping out of the race.

An unedited link preview that appears when a user pastes a link into a Facebook post Image: mashable [Screenshot]

Prior to mid-2017, any user who pasted a link on Facebook was able to edit the image, headline, and description to whatever they wanted before posting the link publicly to the site.

However, in June of that year, Facebook made a big change as part of its fight against fake news and misinformation. The company announced it was ending the ability for users to edit link previews .

“By removing the ability to customize link metadata (i.e. headline, description, image) from all link sharing entry points on Facebook, we are eliminating a channel that has been abused to post false news,” said Facebook in a 2017 post explaining the move on its site for developers.

In a private Facebook Group discussing social media related topics, I recently came across a user explaining how they discovered a weird glitch that still allowed Facebook Pages to edit link preview metadata. Again, this is a feature that was supposedly completely shut down one year ago.

“If I am posting something from Mashable from a Facebook Page about how important vaccines are,” explained the user, who requested anonymity for this piece, in a private Facebook message, “I could now change the headline to say 'New Report Finds Vaccines Are Bogus.'”

Here's an example of an edited Facebook link preview using the loophole. Image: mashable [screenshot]

Let's take the Howard Schultz dropping out of the presidential race example. Using my Facebook Page and the loophole, I was able to post the same CNN link in a Facebook Group with an edited headline, completely changing the meaning of the post. You can see the result above. The average Facebook user scrolling by will see a CNN sourced article with a fake headline and wouldn't know it was altered unless they actually clicked through.

“I reported it to [Facebook] a few months back,” the source wrote to me more than three weeks ago. “I reported it again not too long ago and two days ago they responded with an automated reply and closed the ticket.”

This person provided me with a screenshot of a support ticket dated August 2. The message sent to Facebook details the issue, the concern with the spread of misinformation via malicious users, and a note detailing how they had first reached out to the company about the issue in February or March of this year.

Ten days later, Facebook replied.

“We received your report and appreciate your patience as we work to fix technical problems on Facebook," the company said. “Though we can’t update everyone who submits a report, we’re using your feedback to improve the Facebook experience for everyone.”

The support ticket was promptly closed.

I can confirm that Facebook Pages could still edit link preview metadata in Facebook Groups at the time of publishing.

Facebook has emphasized its fight against fake news on its platform in recent years. Following the 2016 presidential election, the social network was hit with a wave of criticism over scandals involving misinformation. Foreign entities used the site to spread propaganda, clickbait website owners gamed the Facebook algorithm to generate profitable traffic for their fake political news blogs, the UN even claimed that misinformation spread on Facebook played a role in the genocide of Rohingya Muslims in Myanmar.

Amid a redesign earlier this year, Facebook put a strong focus on its Groups feature throughout the platform. The company has long pushed Groups as a priority, citing “meaningful” engagement.

However, with Facebook’s centering of Groups, conspiracy theorists and other bad actors moved their misinformation and fake news sharing to private and secret Groups. In fact, just last month, the social media giant published a lengthy post reminding Facebook Groups users that its policies exist even within those private communities. The company is clearly aware of these problems in Groups, which makes it even more baffling that the issue hasn't been fixed.

Studies have found that a majority of people don’t read past the headlines of an article they see online. On top of that, after reading only the headline, they’ll also share it, a sad but unsurprising fact in the digital age. The ability to edit the headline and short description for a shared link can easily be abused by bad actors. Add in the fact that the Facebook link preview maintains the official URL where the article is from, say CNN.com or NYTimes.com, even after the metadata was edited, and you’re asking for trouble.

“Our research shows that there is a tiny group of people on Facebook who routinely share vast amounts of public posts per day, effectively spamming people’s feeds,” explained Facebook’s then-Newsfeed VP Adam Mosseri when the company shut down the feature to edit link previews. “Our research further shows that the links they share tend to include low quality content such as clickbait, sensationalism, and misinformation. As a result, we want to reduce the influence of these spammers and deprioritize the links they share more frequently than regular sharers.”

At the time, Facebook provided a bit of leeway to publishers with Facebook Pages after the change was made. Media outlets were given a few extra months where it was possible to edit the link preview metadata. During this time, publishers were encouraged to apply for access to edit link previews for domain names that they owned. This allows Facebook Pages to edit link previews, but only for links to their own websites.

To this day, applying for approval for your Facebook Page and your domain name is the only way to edit link preview metadata on your Facebook Page. There is no way to edit previews for links to sites you don’t own ... other than this weird Groups loophole, of course.

One thing to note is that Facebook Pages weren’t always allowed to join Groups. That feature was launched in September 2018. It’s possible that’s why this workaround even exists to begin with and has been able to fly under the radar for as long as it has.

While it’s unconfirmed whether this is actually a bug, judging by Facebook’s policy changes over the years, it seems highly unlikely that the feature is intentional. Mashable has reached out to Facebook for comment and will update this post when we hear back.