Facebook Open Graph Tags Modification

A couple of weeks ago, I discovered that Facebook allowed you to change the title and description of links that you post. This allows you to craft some pretty interesting posts. For example:

I was puzzled by Facebook's decision to implement this feature. The grey all-caps text at the bottom is the domain name where the alleged content is supposed to originate from. This field cannot be changed. Therefore, I would be more willing to click on a link if the domain is a well known one, e.g. FACEBOOK.COM, GOOGLE.COM or APPLE.COM and so on.

By allowing users to change the content of the post, they are essentially allowing users to "put words into the mouths" of these organizations. Once users click onto the link, they will realise that the information in the post is bogus, however there is the possibility that users may simple share the link without clicking into it, thus spreading misinformation. We have seen numerous similar cases where journalist have retweeted fake news story without verifying because they want to be the first to get the information out there. Some of these have even resulted in substantial real world impact such as a crash in the stock market.

The only legitimate use for such a feature is the ability to insert a more relevant paragraph of text from the article itself. However, in my opinion, the negative effects far outweigh the positive and such a feature should never have been implemented in the first place. Most major websites have been optimised and the open graph text and description should be fairly relevant to the page content.



Contrary to most beliefs, this is a feature built into Facebook and not a vulnerability as some have thought. All you need to carry out this "attack" is Google Chrome and a Facebook account. Simply paste the link you would like to share into your "update status" box and wait for the preview to show up. Hover over the title or the description, it should turn yellow, left click to change the content. I have also found that if you perform this on a Facebook page, you also get to modify the image in addition to the title and description.

Disclaimer: I have contacted Facebook prior to this and they have classified it as a "social engineering or spam attack against Facebook users and infrastructure". As far as I know, there are no plans to remove this feature.

Edit on 05/12/16: Facebook has now disallowed modification of page content when posting to your personal wall. However, posting to a page will still work.