1. Twitter notification emails analysis

    (Why am I up at 2am blogging about something so trivial? An attempt at gaining traffic based on an early brain-dump about a minor Twitter change maybe? Which this is, a brain-dump, there may be mistakes, but that doesn’t matter now, does it. As long as I’m “first!”.)

    So here’s the email you get now:

    twitter notification email

    • It’s HTML
    • The user’s avatar is included. Sometimes this could be broken if the user changes their avatar, because the avatar URL would also have changed, but it’s hardcoded into the email at the previous URL. (unless they’ve solved the drifting avatar url problem with a consistent endpoint?)
    • You’re shown the number of followers/friends/tweets of that user. But the followers/friends are separated by the tweets (updates) which is initially confusing and not easy to scan to compare the ratio.
    • The FROM part of the email is now just noreply@twitter.com. This used to include the email address you have on your twitter account, which meant filtering your email based on which Twitter account these were sent to was easy. This is now in the REPLY-TO field in the email instead, can you filter on that? Or you can filter based on the TO field AND the FROM field as a combination, yeah that might do it. (Has anyone made a nice GMail filter for this yet?)
    • Your username has been removed from the body of the email. Which means you can’t instantly see which account this person is following following (if you have multiple accounts).
    • Showing more info in the email might be an attempt to reduce traffic on Twitter.com, but I can’t believe that would have a significant impact on their costs.
    • I’m guessing the grey box in the email is supposed to contain the bio? I haven’t had one yet that does. Bug?
    • The emails are sent as multi-part, which means the text version of old is still there for text-only email clients. Good!
    • It would be great to see the most recent couple of tweets from that user. It’s usually easy to see if they’re spam just from that.
    • Better still, show which friends/followers you share. Then I might gather the context, or the network we share.
    • Or maybe the last few @replies to that person. This might show the level of engagement from other users, further indicating whether they’re spam.

    Isn’t it fun making rushed judgements about the small things Twitter do? :) Anything I missed?

    UPDATE: Twitter just made a small change to DM (direct message) emails, the FROM field no-longer has the real name of the person the message is from. It used to say “Josh Russell via Twitter”. Again, this was good for scanning visually and filtering on. It now just says “Twitter”.

    Strangely they *have* included your email address as part of the FROM address, contrary to what it used to be which was noreply@twitter.com… The opposite to the change they just made on the emails I describe above. It would be nice to have some consistency on small details like this.

    Posted May 7, 2009 in the Design category, with the tags: , , , , and 4 comments

  2. Skitch revealing users email addresses

    update: The developers have now changed this on the site, email addresses are not revealed. However it is still revealing the domain of the email address, which, while not quite as bad, actually isn’t necessary and still leaves a hole. The pattern skitchusername@emaildomain.com, in my opinion, has a good chance of being a valid email (especially on privately owned domains that have catch-all aliases). Why reveal *any* part of the address? Users will either get a reminder email or they won’t!

    In this day and age, it’s 2000 and f*cking 8 FFS!

    Skitch revealing email addresses

    Skitch revealing email addresses

    So what’s happening here..

    As I finally got around to signing up for a Skitch alpha/beta/whatever (Thanks Jimk) I thought I’d just check to see if I already had. I tried my usual login details that I pretty much use everywhere for non-critical accounts. Both the usual usernames/nicknames were taken. Now this isn’t unusual, but as an early adopter this is rare for me.

    I then decided to go and try and retrieve a password for one of those accounts (it’s possible it was me). Providing a username or email address should confirm that the account exists or not and then send the password reset instructions to the registered email. If this was my account, I would receive the email.

    Skitch’s lost password form

    In Theory, that’s a relatively ok way of doing that process. What went wrong was this.. Having entered just the usernames, I was then shown a screen that contained the email address for that account. It was not my email address.

    Recap:

    • email addresses are shown by providing any username
    • usernames are used as personal URLs, thus easily found
    • this is possible without being logged in, thus untraceable

    Why is this a bad thing? Well apart from the obvious reason, it wouldn’t be very hard for someone to script up something that could systematically discover usernames, and thus email addresses.

    Please, Please fix this!

    There are surely other examples of this behavior, how long will it go on?

    P.s. I really actually like Skitch, it’s a great tool. I’ve been using GrabUp more though, it’s much simpler.

    Posted July 31, 2008 in the Technology category, with the tags: , , , , , , , , and 4 comments