Facebook seems to have been on a role lately in adding new FBML tags. They are certainly keeping me busy while I finish up the final phases of “FBML Essentials“. Ironically in short duration after I posted my Spam 2.0 article, Facebook seems, based on a new post to the developers wiki, to be providing a new way to combat your Application from being maliciously used by adding the ability to add “Captchas”, or graphics with manipulated text in them to re-enter in a text box provided in the captcha. These Captchas traditionally are ways to ensure only real humans are using your software.
What is interesting is normally you would think having a Facebook profile would be enough to prove it is a real human using the Application. Within the application a developer in normal FBML can always check to see that it is a logged-in Facebook user using the application, or someone accessing the application in an unauthenticated state. Facebook is going one step further with this however – there’s nothing stopping a Facebook account from being hijacked as we mentioned earlier, and using that account to run a malicious Facebook app for a day or two before Facebook catches it and either steal your data or Spam other users. That’s what I’m assuming the launch of this tag is for.
The tag works like this – it is to be contained in any tagset, and can contain one optional attribute, “showall” which allows you to always display the captcha on the App regardless if they passed the captcha before or not, or only display it to those that have not yet been verified. The code would look like this (from the developers wiki):
Upon submit, the user would be taken back to the callback url for your application, and the additional parameter, “fb_sig_captcha_grade=1” will be passed to your application assuming the user passed the Captcha. If they did not pass, it will be set to 0. The end result captcha when render seems to look like any other captcha box on Facebook, which it seems they are using the Recaptcha format which gives back to Archive.org’s book transcription and archiving project. So regardless of whether you really need a captcha or not, you can be comfortable your app is giving back to a good cause. The captcha looks like this (also from the Facebook developer’s wiki):