Warning: Bevo Media PPC Tracking = Lame Duck

I wish I didn’t feel compelled to write this, as this is one project I was really looking forward to using.

I applied for the beta a while back but didn’t make the cut… obviously they thought they had enough affiliates testing it.

Those affiliates obviously have no idea about business security.

Bevo Media Security Flaw

They are asking for and storing Google Account passwords…

That is a high risk

It may also mean that users would give their Gmail account access, which might have other personal data such as hosting and domain registration information.

This could be partially overcome by upgrading to their premium service and running the software on your own server however…

Their automatic upgrade represents a security risk
I wouldn’t trust myself to secure a Rackspace server – actually I was recently helping a friend diagnose a hacked WordPress blog that was on a Rackspace managed server – do you think you are up to the task of securing one of their self-managed servers in the cloud?

One of the reasons I switched to a Liquidweb Storm server was because I didn’t feel confident keeping a server secure for myself, and paying a geek to do it for me just wasn’t working out time or cost effective.

Bevo Media (BevoRyan) stated this on their forums

Liquid Web not a recommended server

Because of the rigorous default permissions set on a Liquid Web server, we highly suggest against using Liquid Web as a way of hosting Bevo Self Hosted. We found that hosting on LiquidWeb creates a ton of issues, and bugs that do not show up when using Rackspace as using your hosting solution. Our self hosted version was made for Rackspace Cloud environment, and although it is possible to install the self hosted version on other servers, we suggest sticking with Rackspace. Rackspace is much less expensive yet more powerful than LiquidWeb, which is why we chose to use them over any other server companies.

I strongly disagree on the cost… I was paying $400/3 months for a good server jockey yet I find Liquidweb support to be better. That was just support.
My Liquidweb Storm server costs me $50 for the base server, $20 for Cpanel + support, and then maybe $20/month on top for bandwidth and backups. I could see the bandwidth going a little higher though I should farm most of that out to a CDN.

I admit using an API isn’t totally secure, but ultimately you can revoke access. You could create special Google accounts and give them access to particular Adwords & Analytics accounts, and then give those passwords to Bevo Media, but the majority of users won’t have the required tin-foil hat to even think about taking that precaution.

If I was using their self-hosted software (which whilst open-source is $200/month) then that is the direction I would have to go for now… creating new Google accounts just for use with Bevo Media.
You could possibly do that for their SAAS version, but that would require very specific training explaining why it needs to be done, and possibly why they felt they couldn’t use the API as provided by Google (which seems good enough for other competitors)

This isn’t that I don’t trust the guys at Bevo Media, I don’t trust people who hack servers to get hold of hundreds of Adwords accounts – it is a huge pot of gold for your average Russian or Chineese hacker to target (or any other nationality for that matter)

Bevo Media might well be great software, I plan to do some more testing with dedicated accounts granted access, but thought it important to get this “out there” before people use their primary Google account details with a 3rd party server.

Whatever you do, don’t give away your primary Google account details to anyone – they are the keys to your online business.

Liked this post? Follow this blog to get more. Follow


  1. says

    I had the same issues with just sharing Twitter account information. Twitter eventually changed and offered oAuth. Google however always offered an API so what can you get by scraping that API does not give?.

    • says

      I can’t understand it either… there is no need that I can determine.

      Yesterday I signed up for PostRank as they have a free offer if you are willing to give them some personal data
      PostRank only use Google APIs

      They didn’t ask for full DoB or Social security number, so the data is prety much online anyway… I might get a few offers from their partners but fair deal.

      Raven SEO tools uses API with no problems

      There are WordPress plugins that use Google APIs… that I am a little uncertain about to be honest as API is still a risk and WP sites get hacked too often and you might not notice… I suppose in that situation you would be best to create a new Google account with read only access.

  2. says

    Hey man,
    I’m the lead programmer on Bevo.

    Your security concerns are totally and completely reasonable. Being afraid of hackers is a good thing. Please don’t change one bit of your opinion.

    I need to take a second to defend some of our positions on the issues, though —
    Re: Passwords — Giving us your Google password is optional, and only required if you want to use our Adwords Ad Editor, or automatically pull your impressions/cost data from your Adwords account. You should only ever give out your password to people you trust, and even still, it’s probably prudent to use separate accounts whenever you have to share your credentials. The API calls we make to Google Adwords require username+password authentication, every time we hit the service, so there was no way around collecting passwords. We simply could not have built our service without it.

    Re: LiquidWeb — When I built the self-host version (although there have been other developers on the project, I did every piece of the selfhost with my own two hands), we knew from the get-go that everyone uses a different host, that no one host is “most popular”, and that every host configures their servers differently. There’s no way that I could have done thorough testing of the software on multiple providers to assure quality, so we chose one provider (I like Rackspace from personal experience) and, because not everyone uses Rackspace, we built an auto-launcher that configures you a VPS dedicated to Bevo, with a server that was configured by me, through a script I wrote myself, setup exactly how I would do it. The server is unmanaged and there’s no control panel and we discourage you from running anything else on it — This is our “yardstick” for the Selfhost version. It’s a “clean server”, it’s the best performing, best configured, best supported way to run it, with no extra open ports and no unnecessary services running to create security holes. Providing a reliable benchmark like this for the community was the only way I could sleep with myself at night, while putting out a selfhost product that I knew full well would suffer from host-specific quirks. We don’t have the development team nor the community support resources of WordPress to comprehensively ensure we’ll run perfect on every setup, so that was never our goal. You can run Bevo on LiquidWeb, or any other server, if you want, but it’s “at your own risk”.

    Re: Rackspace being “insecure” — I’m not a betting man, but knowing only what you’ve said about your friends servers, I’d bet my life savings that your friends server was hacked because of WordPress, cPanel or a weak root password, and not because of Rackspace itself. I know WordPress users on LiquidWeb that have been hacked, as well, so I feel this argument is moot.

    Cheers, and thanks for taking the time to check out our software,

    • says

      The sceeenshot in the post is for Google analytics

      You can/should authenticate using an API for Google Analytics.

      With Adwords it is a little more tricky, as far as I can tell they don’t have Oauth, but the viable alternative would be to use an MCC account

      You should link your My Client Center (MCC) account to the client account you want to manage. Then, when making an API request, you must include in the request header the email and password of the MCC plus the login email or client customer identification (ID) of the client account.

      Note that there are two ways to link your MCC to a client account: “User Interface and API” or “API only”. While both give you API access, only one will fully credit the client account’s spend towards your API unit usage. For more information, read our FAQ about My Client Center and API-Only access levels.

      By using MCC, it would also solve your API use credit problems which I also noticed on the forums – you would qualify for preferred API pricing.

      If someone is spending $1000/month on Adwords, that would give you 250,000 API credits.

    • says

      Regarding the server choice….

      The way things were worded suggested problems with security settings. For instance I run mod_security on this server and have had to include some exceptions just to use WordPress. Just writing a blog post with the word “select” in it a few times rather than “choose” was causing problems.

      I appreciate you might be a good server jockey, but it is a fair chunk of liability with server issues to undertake providing your own images in that way for customers.

  3. Predicti Handbal says

    ”Being afraid of hackers is a good thing. Please don’t change one bit of your opinion.”/………..lol ….u can meet it evrywhere ….keep ur opinions

    • says

      You get comment spammers everywhere… in many ways as evil sucking up my time.

      I want to improve the software so it is safe for my readers to use it
      Leeward by my understanding of his comments, understood that is the purpose, and that being concerned about security is a good thing.

  4. Price Comparison Web says

    Thanks for sharing but i think we should wait because you cant say to anyone that he is a hacker or he will misuse that info , yeah there is a chance , but stop n wait as the time goes other people will do and who knows may be they are helping people.

    • says

      That would be building your house out of straw – I don’t encourage my readers to do that, and I don’t think developers should take these shortcuts.

      As it happens this shortcut is probably costing them thousands of dollars in API fees, so it would be well worth implementing.