They're clearly aware of the vulnerability if they close accounts for exploiting it. Techniques to prevent it are well-known and allegedly they have lots of skilled engineers. But those techniques would increase friction a little bit, so they've evidently decided they don't care about the vulnerability.
Seems less like a vulnerability and more like a violation of ToS. Doesn't each involved party have an account? Is there a way for an otherwise unrelated third party to exploit this?
Its not that techniques are known to prevent this issue. It is prevented by default. Facebook has to take active steps to make this work. If they did nothing there would be no vulnerability.
