Security researchers at Elcomsoft, a company that developers forensic tools for extracting data from iOS devices, have discovered that Apple has been storing users’ Safari browsing histories in iCloud for extended periods of time, Forbes reports. Elcomsoft CEO Vladimir Katalov, who also discovered last November that Apple was storing iPhone call logs in iCloud, told Forbes that data stored in iCloud for syncing web browsing history and related data across iOS and macOS devices is actually retained in separate “tombstone” records even after browsing history entries have been “cleared” from Safari. Katalov indicated he came across the issue by accident when testing one of his company’s forensic tools to compare data extracted from an iPhone to the data from that iPhone’s linked iCloud account. According to Katalov, these records “stay in the cloud probably forever.”
Forbes was also able to independently verify these claims using Safari 10.0.2 and Elcomsoft’s “Phone Breaker” tool, discovering nearly 7,000 “deleted” records going back for over a year.
Records were accompanied by additional data such as the number of time a site had been visited as well as the date and time the item was deleted. Full terms of Google searches also appeared in the control panel of the Elcomsoft tool. An independent iOS forensics expert, who asked to remain anonymous, also validated these claims, discovering 125,203 records from their browsing history going back to the same date, even after the Safari caches had been cleared. Other deleted data retained by iCloud, such as Notes, appeared to only be retained for a much shorter period, generally less than 30 days.
The report acknowledges that while it’s unclear why this data is being stored, the issue is likely a design issue having to do with the iCloud sync feature used to provide consistent Safari history data across all of a user’s iOS and macOS devices. It is normal for synchronization services to maintain deleted “tombstone” records to keep track of deleted data until those deletions have synchronized with all of the connected devices, however there doesn’t appear to be any obvious reason why data would need to be retained beyond this time frame.
While Apple declined to officially comment on Elcomsoft’s findings, a source with knowledge of the matter told Forbes that Apple has been making it harder in recent Safari and iOS versions to track browsing history by turning URLs into hashes, although this step obviously wasn’t enough to prevent Elcomsoft’s tool from accessing this information in a clear form. The report also added an update that shortly after publication, Katalov and another source contacted Forbes and indicated that the old records were actually disappearing, suggesting that Apple has responded quickly to the revelation and is now removing the old data, although they have still not provided any official comment on the matter, and while the window of how much deleting browsing history is now being retained has been decreased, Elcomsoft indicates that two weeks’ worth of deleted data still appears to be retained.
