A Russian forensics firm named Elcomsoft has discovered that Apple was storing users’ Safari browsing histories in iCloud going back more than a year, possibly much longer. This was happening even after users had asked for any deleted records to be wiped from their iCloud-connected devices. Soon after Elcomsoft announced a way to extract deleted browsing histories from iCloud, Apple applied a server-side fix to stop the retrievals and apparently purged all records older than two weeks.
“Good move, Apple,” Elcomsoft said. “Still, we would like to get an explanation.”
Apple declined to comment publicly on Elcomsoft’s findings.
Elcomsoft has discovered, by chance, that information about deleted entries in Safari’s browsing history was being stored in iCloud, possibly indefinitely. Those records included things like website names, URLs and when a given site was visited.
Cleared records were simply marked as “deleted” in the table on iCloud. The items don’t appear to have been accessible to law enforcement requests.
According to security experts, this was a design flaw rather than some sort of nefarious scheme on Apple’s part.
iCloud syncing requires records of deleted items to remain accessible on servers for some time after the actual items have been deleted. This allows an iCloud device that may be turned off or inaccessible to remove a copy of the item which was previously deleted from Safari on another device, as soon as that device is back online.
Now, all companies that run online services which store user data on servers are required by law to adhere to some form of data retention, obliging them to keep any deleted items on servers for a certain period of time. As explained, keeping a record that a given site has been visited and cleared permits Apple to synchronize this information with other devices that may be currently inaccessible to iCloud.
Elcomsoft successfully pulled these records with its mobile acquisition tool going back more than a year, but that was before Apple silently applied a server-side fix. The tool extracts full information about each record including the date and time on which the record was last accessed as well as the date and time the record has been deleted.
Elcomsoft found those records stored in unhashed form as far back as November 2015.
Though Elcomsoft’s Phone Breaker probing tool could be used to access this data in an unencrypted form, it requires the user to have access to a target’s iCloud login credentials or an authentication token stored on the device itself, making iCloud-related privacy invasions difficult to pull off.
According to Forbes, a change Apple implemented in Safari 9.1 and iOS 9.3 turns any deleted URLs from the user’s web history into a hashed form to prevent snooping. In the meantime, you can avoid this problem altogether by disabling Safari syncing in iCloud settings on your iPhone, iPad or Mac.