facebook application development

You know those emails you get every time someone comments on a status update you already commented on? It can definitely get annoying. Facebook applications previously had similar functionality, however as of yesterday afternoon, comment notifications have been shut off. For most users it’s probably not a huge deal, however some developers are already complaining about this subtle change.

In a discussion on the Facebook developer board regarding app-to-user notifications, Matt Trainer of Facebook told developers two weeks ago that “Notifications generated by fb:comments will continue to work.” Two weeks later, they’ve been shut off and one developer who just reached out to us suggests that this is a “double standard”. As the developer told us:

Facebook claims that this is to eliminate a user from receiving notifications as a result of actions by non-friends. However, if I reply on a friend’s wall and someone posts after me who is not a friend, I still receive a notification. In both situations, I’ve contributed to a wall. In both situations, a non-friend responds. But only on the Facebook wall do I get a notification about the response.

While an automated feature that developers had no control over previously, this functionality allowed for reengagement from users who wanted to have conversations with other users (friends or not). The end result here is that some developers are not happy. While I’m not sure that Facebook will restore comment notifications within applications, it’s clearly a feature that many developers would like to retain.

F-Secure has suggested that Facebook’s new reply-by-email feature may be exploitable.  The press release explains that malicious users can respond to any thread on Facebook as long as they have the proper thread email address.  The full explanation is this as follows.

When there is a posted item or status update available on Facebook, and a user leaves a comment, a thread begins.  All the users on the comment thread receive email updates of the latest activity on the thread.  Facebook recently enabled users to respond to this thread directly from their email, just by replying to the email notification.

The problem is, that email notification address is accessible by anyone.  Meaning that if someone were to find that email somehow, they could respond on this thread, regardless of whether they’re your Facebook friend. Unfortunately for Facebook, it’s relatively difficult to control this security vulnerability. As Jacob Friedman points out:

While Facebook scammers still spam comments from accounts that get passwords stolen or phished, this type of hack is much more difficult for Facebook to control. Where Facebook could simply lock compromised accounts out until their owners change their passwords, it’s much more difficult for Facebook to fix compromised email accounts. It would be difficult for Facebook to work with email providers, especially smaller ones, to get compromised account holders to change their passwords. Facebook’s only recourse might be to delete the accounts of users with compromised email accounts.

So yes, there’s very little you can do to protect yourself against this problem aside from using good email security practices. Awareness, however, is the best form of protection! As a side note, this feature has been long requested and was certainly welcome from me, with my many, many status update comments posted to my profile (/sarcasm).

We have received countless emails about Facebook testing comment replies via email for the past few months however this afternoon it became official. It’s somewhat surprising that it has taken this long for the company to get this up and running but I’d assume there were some significant technical limitations. It’s a relatively basic feature, however effectively parsing through millions of emails can prove complex.

While Facebook hasn’t rolled out commenting on other features, the company could use the lessons learned from rolling out comment replies and apply them elsewhere. For example users could quickly reply to messages sent via email. For those users with smartphones like the iPhone and Blackberry, replying to messages has never been an issue. For those users with less advanced phones, it can be cumbersome to log in every time they receive an update about a message or a comment.

If you want to take advantage of this new functionality you’ll need to make sure you have email notifications for comments configured properly. You can do that via the Account Settings page. My guess is that most frequent readers of this blog have smart phones which means this new functionality won’t be a needed addition. If you want to learn more, check out Tom Whitnah’s blog post.