Explained: Apple iCloud kept 'deleted' browser histories for over a year

Cupertino giant quickly purged supposedly dead files when word got out

Apple iPod touch

Apple appears to have fixed a flaw in iCloud that retained a copy of deleted Safari browsing history data synced from local devices for more than a year.

On Thursday, Russian computer forensics software biz Elcomsoft said that its forensic software was able to recover Safari browser history records that had been stored in iCloud and erased, including the date the URLs were last visited and when the deletion occurred.

Vladimir Katalov, CEO of Elcomsoft, in a blog post highlighted the forensic value of browsing data. Because iCloud sync works continuously, if enabled by the user, it's particularly useful for surveillance and investigations, he suggested.

Shortly after the publication of Elcomsoft's findings, Apple took undisclosed steps to address the issue. According to Katalov, Safari browser history data stored in iCloud now only dates back two weeks, deleted or not.

Apple did not respond to a request for comment.

The speed with which Apple chose to address the issue suggests something of the information's potential value. Apple presumably wanted to avoid the burden of complying with a surge of demands for data assumed to be lost.

Regardless, the company had to act to meet its data retention commitment in its Legal Process Guidelines: "Apple does not retain deleted content once it is cleared from Apple's servers."

Apple says it retains iCloud connection logs up to 30 days and iCloud mail logs for up to 60 days.

This isn't the first time Apple's data retention reality hasn't matched its policy. In November, Elcomsoft found that iCloud was storing iPhone call histories without notification or consent. Apple has since fixed that issue.

The previous availability of deleted Safari browsing data isn't all that significant in the range of possible privacy failures. First, someone using Elcomsoft's software would have to know the user's account name and password to access iCloud data, or would have to be in a position to demand account information from Apple through the established legal process.

In the context of an investigation, Google and the suspect's ISP are likely to have a more comprehensive picture of online activities than iCloud backups.

What's more, the user would have had to opt in to having Safari data synchronized to iCloud.

As to the technical nature of the flaw, we can only speculate, since Apple did not respond to a request for an explanation.

One possible cause might be a client-side bug with the way Safari or the iCloud sync software handles data. Safari stores history data in an SQLite database. A Stack Overflow post from more than a year ago suggests that deleting these files doesn't always work. So perhaps a local browser storage flaw – using a cached file when the original can't be found, for example, or a file lock that prevents removal – keeps deleted records around and syncs them.

It's equally possible the issue could reflect an iCloud bug.

If privacy is a serious concern, avoid iCloud and cloud services in general. ®




Biting the hand that feeds IT © 1998–2018