Software company Elcomsoft, a specialist in extracting data from iOS devices, discovered the issue while building an updated version of its Phone Breaker app. iCloud seemingly ignores users’ requests to delete browsing history, only removing it from the local device.
In one instance, Elcomsoft managed to recover a list of visited websites dating back over one year. The data is stored as a separate iCloud record labelled “tombstone,” independent of the main browsing history data. Site names, URLs, visit counts and timestamps can be retrieved.
Locally, Safari retains browsing history for several months despite only displaying websites from the past 30 days to the user. iCloud shouldn’t work in the same way though. Users expect pressing “delete” to remove the data from the cloud, rather than have it archived in a tombstone account.
There is an explanation for the behaviour. It appears as though the data is used to power iCloud’s cross-device sync functionality. Multiple devices can share browsing history information with another when using the same Apple account. To keep everything synchronised, iCloud retains a list of deleted records. It can then make sure website visits are removed from every device when Safari’s history is cleared.
The discovery has concerned privacy advocates though. Apple doesn’t disclose that this is what happens, leading users to believe the data is deleted immediately. It is difficult to access, requiring special tools like Elcomsoft, but could be harvested in a cyberattack and sold online.
“The point is that Apple keeps synced Safari browsing history in the cloud for much longer than one, three or four months – even for deleted entries,” said Elcomsoft. “Elcomsoft researchers were able to access records that’ve been deleted more than a year ago, which means that deleted records are not actually cleaned up from iCloud.”
Shortly after Elcomsoft published its report, iCloud’s behaviour suddenly changed. Although Apple hasn’t officially commented on the issue, it appears as though it’s quietly rolled out a fix that changes how data is stored, apparently fixing the flaw.
Browsing history records older than two weeks have been deleted from the servers, leaving much less information online. It remains unclear whether records have been capped at two weeks or if files could begin to accumulate again over time. It’s also possible that Apple has simply blocked third-party tools from accessing the archived records.
As of now, it seems as though Apple has solved the issue and purged the data it should have already deleted. Users with iOS version 9.3 and newer have better protection because history records are transferred as encrypted hashes rather than plaintext, making it harder for outsiders to view them.
