After using the service for a while to monitor the availability / performance of my Magento installation I started getting 404s for the following URLs.
.git/config
.svn/wc.db
adminpanel/
administrator/
admin123/
phpmyadmin
phpinfo.php
This is only a sampling of the 404s I was getting from them. Essentially the types of URLs you would expect from someone probing your site for security weaknesses.
I never gave them the task or permission to probe my site, do any penetration testing or anything other than checking my sites availability. I only signed up for monitoring.
This behavior is massively unprofessional!
While a service that scans your site for weaknesses can be very useful this should only be done in conjunction with the wishes of the site owner.
A definite thumbs down from me for Magebee.com / Scandiweb.com!
Patrick Ryan
Hi Patrick, thanks for sharing your experience. I'm not familiar with magebee. From their homepage, it makes it quite clear that it will check for security weaknesses though so doesn't seem underhand. Did they start out as just performance monitoring and then add the security features without telling you? Or was it perhaps not clear what their security tests involved?
Hello Tom,
certainly above and beyond normal Moderator duties to look into this. Thumbs up.
Here's the original contact from MageBee (removed e-mail and telephone):
Name: Clara, the Magebee.co
Kommentar: Bzz... Bzz.... Meet Clara, your Magento worker bee.
She is trained to probe your Magento store every few minutes. If something is wrong - your server is down or Magento store is not working - she rushes back to the hive and notifies you!
Clara works for FREE. Great bee.
Go to www.magebee.co to launch her!
Please note, this was sent using the Magento contact form on our German language site. Usually, I would ignore it as spam but I was looking for a secondary monitoring option at the time.
At that time you could simply click the link, enter your site and email and that was it. No notice was given that security scans would be taking place.
In fact I only noticed it when doing some work recently to improve our intrusion detection settings. The 404s they were creating were being ignored up to that point.
Maybe updating their customers was just overlooked, can happen in a growing company, but I expect more transparency from a company that purports to be helping store owners with security.
Patrick
PS. They still can't tell when a site is in maintenance and report false positives despite correct 503 error code and a response page including the word maintenance.
Thanks
Thanks for the additional information. It sounds like while there might have been the best intentions, there wasn't sufficient communication/messaging around what you were signing up to. So, that's a reasonable response.
Thanks for sharing your experience.
We scan a site for vulnerable security paths because we provide Magento Security Vulnerabilities details.
You can see more details opening our homepage https://magebee.com/ and our FAQ page https://magebee.com/faq.
We always answer on email bee@magebee.com and if you want to stop your site from scanning - you can do this from the dashboard or write us by email.
You never mind how much sites have vulnerabilities, and our goal is to inform store owners them.
https://magebee.com/ works similar to https://www.magereport.com/
Hello, Ryan and Tom!
@ryanp, first of all, thank you a lot for the feedback! My name is Glebs and I am an Executive Partner at Scandiweb.com as well as I am partially involved in our small start-up project magebee.com. At the same time, I would not associate Scandiweb.com to Magebee since it is a completely separate entity in our company.
@ryanp, regarding your problem - you can find details on which parts of the store we scan in FAQ section and Privacy Policy of the website. We indeed do basic security checks (not penetration test) to inform you in case, for example, your Admin Panel path matches well-known pattern (as adminpanle/; administrator/ etc). In case it does, it puts your store on risk and that's our responsibility to inform you about it.
Our tool works in a similar way as others online scanners e.g. magereport.com or magento.com/security.
On top of it, you will identify our crawler by the following IP address: 52.31.75.197
At the same time, I fully agree with you that possibly UX of the application to be improved so it is more clear for what you are applying. @ryanp, I would much appreciate if you share your feedback on what you think we need to improve and we will incorporate the changes to the platform ASAP. We would much appreciate if you drop us a line at bee@magebee.com
@Tom Robertshaw, also let me know, please, if Magebee can do anything to close this case - your suggestions on the improvements are much appreciated!
Very best,
Dear Scandiweb / Magebee,
It seems that your Google Alerts have been triggered.
On your homepage the link to the FAQ is at the very bottom of the page next to the privacy policy. It is literally the last part of the page that you see! At Magereport it is right at the top.
Magebee does not work at all like Magereport! Magebee scans a website repeatedly for vulnerabilities. Magereport only scans when you manually trigger a scan. Magereport also provides links and additional information regarding the status of the scan and potential problems.
Another major difference between Magereport and Magebee is that there is an actual physical address and contact information at Magereport. What is particularly interesting here is that the Magebee is scanning from an AWS instance based in Ireland. EU law requires internet services to list the company and address. Breaking EU law is not exactly a vote of confidence for a company that is offering security scans! This is seriously dubious!
The security scan was not mentioned in anyway when I first signed up for monitoring, nor was it communicated to me if it was added at a later date.
My dissatisfaction was already communicated via e-mail to your "Chief Information Security Officer", at least I assume that is what CISO means. While my account was directly deleted as I requested(thank you) the other answers were just the same tired, canned replies of look at the FAQs. Now, you are on the Magento boards with the same replies and requesting that the thread be scrubbed by a moderator! Or how am I to interpret "@Tom Robertshaw, also let me know, please, if Magebee can do anything to close this case"?
As far as improvements go may I suggest the following:
1. Know and follow the laws of the country / region where you are offering your services.
2. Realize that security and transparency go hand in hand
3. Don't use the tired reply of "look at the Faqs" (particularly when they are not prominently visible)
4. Don't try to remove a complaint from the internet, own up to it, fix the problem and move on.
You seem to want to help store owners take security more seriously, to do this you need to take transparency seriously.
I do take security, and therefore transparency, serious which is why I made this post.
Patrick Ryan
P.S. 5. Don't solicit business by spamming Magento contact forms.
Hello @ryanp !
I've decided to jump in and bring some life in this old thread.
Thank you for your feedback on that!
We, at Magebee, think that it is very valuable to receive complaints from our customers, so we will be listening directly to what they think.
In regards to the original issue stated in this thread - we have added the configuration which can disable repetitive security checks. So then you will have Magebee as a Magento Uptime monitor. But if you will decide to get additional value of security checks later - you can easily do so with the configuration.
It can be easily done from the dashboard, you may see a screenshot here -
We have also implemented a redesign, so the FAQ link is the first one you see in the header.
I do hope you can enjoy the updated version of the product. And if there are still some complaints - please do not hesitate to reach us immediately, so we will be working like bees to improve our bees =)
Two years to fix the problem = obviously not high priority!
Coming back to save face on the Magento Forums = pure white washing
Still not listing your physical address on your website despite having your servers (on Amazon I believe) in Ireland (EU) and doing business in the EU = completely illegal according to EU law. (I can only imagine how bad your compliance with the EU GDPR is)
What is clear here is that what is legal and transparent to customers is not really your focus.
This just shows that Magebee.com and their parent company Scandiweb.com are very untrustworthy.