You almost got me to fork over my personal information, but I stopped just in time.
I like how you use oAuth to allow people to sign into your site with their Tumblr accounts. So far, so good:
But then, after users sign in, you try to trick the user into handing over their email address with this screen that mimics the Tumblr oAuth look and feel. Notice the address in the URL; this is not an official Tumblr screen:
How do I know this isn’t an official Tumblr screen? First, the URL is hosted on Tumblr Cloud’s domain. Second, I typed in a nonsense email address and it worked, so we know they aren’t “confirming my email address”.
Basically, Tumblr Cloud is using a simple word cloud service to phish for Tumblr user email addresses. At least we know Tumblr users are smarter than this and aren’t falling for it right? Right?
300,000+ clouds already created. How many people unwittingly handed over their email address to this site because they thought it was part of the Tumblr oAuth process?
This has got to be against the Tumblr ToS for apps, right? Using oAuth to allow users to sign in with their Tumblr account while then mimicking the Tumblr look and feel to trick users into handing over personal information?
It’s not like that second screen is being truthful. I typed in a nonsense email address and it worked; it’s not confirming anything. It’s just there to harvest user email addresses.
If the second screen had said, “Enter your email to find out about new upcoming Tumblr Cloud features” and not try to look like an official Tumblr screen, there’d be no problem.
But it lies to the user, telling them to enter their email address to “confirm” it (which we now know it doesn’t do), uses the Tumblr look and feel to make it seem like an official, safe screen, and doesn’t offer an opt out or cancel option, thus forcing users to enter their email address to continue.
All around, just shady, shady, shady. Stay away from Tumblr Cloud.