The whole thing about Gleason's hack is that it's pretty easy to lock down. Just because somebody sent you a signature doesn't mean they created the payload they're sending.
In the absence of payload signatures, if somebody signs the http request and they aren't the actor, you should reject it. That's pretty straight-forward and I'm frankly surprised that Meta doesn't enforce this. A bit rushed to market methinks.