Apple iCloud Hoards ‘Deleted’ Browser History Going Back More … – Forbes
If you think clearing your web browsing history on your iPhone or MacÂ is going to make your online habits permanently disappear, you’d be wrong. Very wrong. According to the CEO of Russian hacking tool creator Elcomsoft, Apple is storing Safari histories in the iCloud going back more than a year, possibly much longer, even where the user has asked for them to be wiped from memory.
Elcomsoft chiefÂ Vladimir Katalov told FORBESÂ the iPhone maker kept a separate iCloud record, titled “tombstone”, in which deleted web visitsÂ wereÂ stored, ostensibly for syncing across devices. Katalov told me he came across the issue “by accident” when he was looking through theÂ Safari history on his own iPhone. When he took Elcomsoft’s Phone Breaker software to extract data from the linkedÂ iCloud account, he found “deleted” records going back a year. (Apple calls them “cleared” in Safari, not “deleted”).
“We have found that they stay in the cloud probably forever,” Katalov claimed.
Your reporter tried clearing his Safari (version 10.0.2 on Mac OS X) history and then ran the Phone Breaker tool on his iCloud account. ItÂ returnedÂ nearly 7,000 “deleted” records going back to 27 November 2015.Â They were accompanied byÂ a visit count as well asÂ the date and time the history item was deleted. There were alsoÂ Google searches, the full terms of which were visibleÂ in the Elcomsoft control panel. Fresh SafariÂ activity that I hadn’t cleared was given the statusÂ “actual”.
FORBES also had an iOS forensics expert validate Katalov’sÂ claims. The expert, who asked to remain anonymous, foundÂ the Elcomsoft Phone Breaker tool recoveredÂ 125,203 records fromÂ their browsing history going back to the same 2015 date, even though the Safari cache had been cleared. The expert also found Notes they’d supposedly deleted, but they only went back a short period, less than 30 days, indicating Apple was purging them regularly.
It’s unclear just how or why Apple is storing cleared browsing historyÂ for such a long period. It would appear to be a design issue rather than anything suspicious, and is likely to do withÂ the syncing mechanismÂ between iOS, Mac OS X and Apple servers. Consumer cloud services like iCloud, by their nature,Â require records of delete requests to remain accessible for stretches of time, as users may have devices turned off that need to come alive again before they can sync and remove the browsing history. The fact that Apple didn’t hide the deleted records indicated it wasn’t a purposeful data retention effort, but anÂ oversight, according to the forensics expert. Effective encryption and a different design would help hide the information from both Apple and probing tools like Elcomsoft’s Phone Breaker, the source added.
Jay Stanley, senior policy analyst at the American Civil Liberties Union (ACLU), said companies had to be very careful to follow best practise and delete users’ data when requested. “Overall, assuming this was a mistake, it’s a reminder that storing and retention of data is the default as a technical matter,” Stanley said.
“Browsing history is a very sensitive set of data. It reveals peopleâ€™s interests, concerns, worries and in many cases their every fleeting thought, as well as health information, information on their sexuality.
“It’s vital that people are able to trust that they can be in control of that kind of information. It’s one reason we advise using search tools that donâ€™t store your history.”
There’s no evidence law enforcement has been able to access such data, if the feds even knew they could get it in the first place. And remote attacks by criminals would beÂ difficult: Phone Breaker requires the hackerÂ to have access to a target’s iCloud login credentials or an authentication token stored on the victim device. Katalov’s disclosure, ironically, will also lead to the imminent redundancy of the very Phone BreakerÂ feature that came from hisÂ discovery, which only went live this morning.
Not that he appears that bothered. “Money is not the main thing we work for,” said Katalov, in our email correspondence. “But we are still going good. There are enough features in our products that are quite useful for many customers, from consumers to law enforcement, that do not rely on vulnerabilities. And finally, quite a lot of research is in progress – we will always find something new.”
ElcomsoftÂ is best known not for aiding any law enforcement activity, but for a salacious episode in the history of Apple hacks: reports alleged it was used by snoopsÂ who stoleÂ celebrities’ nude pictures stored in the iCloud. The so-called “Fappening” attacks saw images belonging to the likes of Jennifer Lawrence and Kate Upton leaked online, and the perpetrators sentenced to prison.
Apple in patch mode… and an easy fix
Apple declined to comment on Elcomsoft’s findings.
But a source with knowledge of the matter told me AppleÂ has updated iOS and Safari to make it harder. Starting with Safari 9.1 and iOS 9.3,Â when users delete browsing history, the URLs are turned into hashes — that’s when plaintext is represented by a collection of digits and letters after being put through an algorithm. That goes some way to stopping any potential snoops looking at the data, though it hasn’t prevented Elcomsoft’s tool from grabbing the information from the latest versions of Safari.
Expect Apple to continue plugging holes that Elcomsoft finds, though, as it has done with other recent public disclosures by Katalov. In cases such as this, the user won’t need to do a thing, as the fixes will be done on Apple’s servers. Nevertheless, as the Cupertino giant recommends, using the most recent software versions willÂ keep customers’ safer from privacy invasions.
In the meantime, it’s possible to turn Safari syncing off to avoid the problem altogether. Apple has a good guide about how to turn iCloud features on and off here.
UPDATEÂ Shortly after publication, FORBES was contacted by Katalov and another source, who claimed that their old records were disappearing. It appears, they said, that Apple is purging. There was no update from Apple, however.
Got a tip? EmailÂ at TFox-Brewster@forbes.com or email@example.com for PGP mail. Get me on SignalÂ on +447837496820 or firstname.lastname@example.org on Jabber for encrypted chat.
Write a Reply or Comment:
You must be logged in to post a comment.