Zamen | زامن
iCloud was storing deleted browsing histories
A Russian forensics firm named Elcomsoft has discovered that Apple was storing users' Safari browsing histories in iCloud going back more than a year, possibly much longer. This was happening even after users had asked for any deleted records to be wiped from their iCloud-connected devices. Soon after Elcomsoft announced a way to extract deleted browsing histories from iCloud, Apple applied a server-side fix to stop the retrievals and apparently purged all records older than two weeks.
“Good move, Apple,” Elcomsoft said. “Still, we would like to get an explanation.”
Apple declined to comment publicly on Elcomsoft's findings.
ElcomSoft found that information about deleted records was being stored in iCloud possibly indefinitely. Those records included things like website names, URLs and when a given site was visited.
The users's cleared browsing records were simply marked as “deleted” in the table. They don't appear to have been accessible to law enforcement requests.
According to security experts, this was a design flaw rather than some sort of nefarious scheme on Apple's part.
iCloud syncing requires any records of deleted items to remain accessible for some time after the items have been deleted. This allows an iCloud device that may be turned off or inaccessible to still remove any browsing history entries deleted from Safari on another device as soon as it comes back online.
Now, all companies that run online services which store user data on servers are required by law to adhere to some form of data retention, obliging them to keep any deleted items on servers for a certain period of time. As explained, keeping a record that a given site has been visited and cleared permits Apple to synchronize this information with other devices that may be currently inaccessible to iCloud.
Elcomsoft successfully pulled these records with its mobile acquisition tool going back more than a year, but that was before Apple silently applied a server-side fix. The tool extracts full information about each record including the date and time on which the record was last accessed as well as the date and time the record has been deleted.
Elcomsoft found those records stored in unhashed form as far back as November 2015.
Elcomsoft's Phone Breaker probing tool could be used to access this data in an unencrypted form. On the other hand, Phone Breaker requires the user to have access to a target's iCloud login credentials or an authentication token stored on the device itself, making iCloud-related privacy invasions difficult to pull off.
According to Forbes, a change Apple implemented in Safari 9.1 and iOS 9.3 turns any deleted URLs from the user's web history into a hashed form to prevent snooping. In the meantime, you can avoid this problem altogether by disabling Safari syncing in iCloud settings on your iPhone, iPad or Mac.
Source: Elcomsoft via Forbes