After using the service for a while to monitor the availability / performance of my Magento installation I started getting 404s for the following URLs.
This is only a sampling of the 404s I was getting from them. Essentially the types of URLs you would expect from someone probing your site for security weaknesses.
I never gave them the task or permission to probe my site, do any penetration testing or anything other than checking my sites availability. I only signed up for monitoring.
This behavior is massively unprofessional!
While a service that scans your site for weaknesses can be very useful this should only be done in conjunction with the wishes of the site owner.
A definite thumbs down from me for Magebee.com / Scandiweb.com!
Hi Patrick, thanks for sharing your experience. I'm not familiar with magebee. From their homepage, it makes it quite clear that it will check for security weaknesses though so doesn't seem underhand. Did they start out as just performance monitoring and then add the security features without telling you? Or was it perhaps not clear what their security tests involved?
certainly above and beyond normal Moderator duties to look into this. Thumbs up.
Here's the original contact from MageBee (removed e-mail and telephone):
Name: Clara, the Magebee.co
Kommentar: Bzz... Bzz.... Meet Clara, your Magento worker bee.
She is trained to probe your Magento store every few minutes. If something is wrong - your server is down or Magento store is not working - she rushes back to the hive and notifies you!
Clara works for FREE. Great bee.
Go to www.magebee.co to launch her!
Please note, this was sent using the Magento contact form on our German language site. Usually, I would ignore it as spam but I was looking for a secondary monitoring option at the time.
At that time you could simply click the link, enter your site and email and that was it. No notice was given that security scans would be taking place.
In fact I only noticed it when doing some work recently to improve our intrusion detection settings. The 404s they were creating were being ignored up to that point.
Maybe updating their customers was just overlooked, can happen in a growing company, but I expect more transparency from a company that purports to be helping store owners with security.
PS. They still can't tell when a site is in maintenance and report false positives despite correct 503 error code and a response page including the word maintenance.
Thanks for the additional information. It sounds like while there might have been the best intentions, there wasn't sufficient communication/messaging around what you were signing up to. So, that's a reasonable response.
Thanks for sharing your experience.
We scan a site for vulnerable security paths because we provide Magento Security Vulnerabilities details.
We always answer on email email@example.com and if you want to stop your site from scanning - you can do this from the dashboard or write us by email.
You never mind how much sites have vulnerabilities, and our goal is to inform store owners them.
Hello, Ryan and Tom!
@ryanp, first of all, thank you a lot for the feedback! My name is Glebs and I am an Executive Partner at Scandiweb.com as well as I am partially involved in our small start-up project magebee.com. At the same time, I would not associate Scandiweb.com to Magebee since it is a completely separate entity in our company.
Our tool works in a similar way as others online scanners e.g. magereport.com or magento.com/security.
On top of it, you will identify our crawler by the following IP address: 220.127.116.11
At the same time, I fully agree with you that possibly UX of the application to be improved so it is more clear for what you are applying. @ryanp, I would much appreciate if you share your feedback on what you think we need to improve and we will incorporate the changes to the platform ASAP. We would much appreciate if you drop us a line at firstname.lastname@example.org
@Tom Robertshaw, also let me know, please, if Magebee can do anything to close this case - your suggestions on the improvements are much appreciated!
Dear Scandiweb / Magebee,
It seems that your Google Alerts have been triggered.
Magebee does not work at all like Magereport! Magebee scans a website repeatedly for vulnerabilities. Magereport only scans when you manually trigger a scan. Magereport also provides links and additional information regarding the status of the scan and potential problems.
Another major difference between Magereport and Magebee is that there is an actual physical address and contact information at Magereport. What is particularly interesting here is that the Magebee is scanning from an AWS instance based in Ireland. EU law requires internet services to list the company and address. Breaking EU law is not exactly a vote of confidence for a company that is offering security scans! This is seriously dubious!
The security scan was not mentioned in anyway when I first signed up for monitoring, nor was it communicated to me if it was added at a later date.
My dissatisfaction was already communicated via e-mail to your "Chief Information Security Officer", at least I assume that is what CISO means. While my account was directly deleted as I requested(thank you) the other answers were just the same tired, canned replies of look at the FAQs. Now, you are on the Magento boards with the same replies and requesting that the thread be scrubbed by a moderator! Or how am I to interpret "@Tom Robertshaw, also let me know, please, if Magebee can do anything to close this case"?
As far as improvements go may I suggest the following:
1. Know and follow the laws of the country / region where you are offering your services.
2. Realize that security and transparency go hand in hand
3. Don't use the tired reply of "look at the Faqs" (particularly when they are not prominently visible)
4. Don't try to remove a complaint from the internet, own up to it, fix the problem and move on.
You seem to want to help store owners take security more seriously, to do this you need to take transparency seriously.
I do take security, and therefore transparency, serious which is why I made this post.