Customers check out the new Apple iPhone 7 at the Apple Store at the Grove in Los Angeles on Friday, Sept. 16, 2016. (AP Photo/Richard Vogel)
If you think clearing your web browsing history on your iPhone or Mac is going to make your online habits permanently disappear, you’d be wrong. Very wrong. According to the CEO of Russian hacking tool creator Elcomsoft, Apple is storing Safari histories in the iCloud going back more than a year, possibly much longer, even where the user has asked for them to be wiped from memory.
Elcomsoft chief Vladimir Katalov told FORBES the iPhone maker kept a separate iCloud record, titled “tombstone”, in which deleted web visits were stored, ostensibly for syncing across devices. Katalov told me he came across the issue “by accident” when he was looking through the Safari history on his own iPhone. When he took Elcomsoft’s Phone Breaker software to extract data from the linked iCloud account, he found “deleted” records going back a year. (Apple calls them “cleared” in Safari, not “deleted”).
“We have found that they stay in the cloud probably forever,” Katalov claimed.
Your reporter tried clearing his Safari (version 10.0.2 on Mac OS X) history and then ran the Phone Breaker tool on his iCloud account. It returned nearly 7,000 “deleted” records going back to 27 November 2015. They were accompanied by a visit count as well as the date and time the history item was deleted. There were also Google searches, the full terms of which were visible in the Elcomsoft control panel. Fresh Safari activity that I hadn’t cleared was given the status “actual”.
Elcomsoft’s Phone Breaker tool showing your reporter’s Google search history in Safari from 2016. Though cleared and marked deleted, the records remain viewable as iCloud stores them, according to the hacking tool’s creator.
FORBES also had an iOS forensics expert validate Katalov’s claims. The expert, who asked to remain anonymous, found the Elcomsoft Phone Breaker tool recovered 125,203 records from their browsing history going back to the same 2015 date, even though the Safari cache had been cleared. The expert also found Notes they’d supposedly deleted, but they only went back a short period, less than 30 days, indicating Apple was purging them regularly.
It’s unclear just how or why Apple is storing cleared browsing history for such a long period. It would appear to be a design issue rather than anything suspicious, and is likely to do with the syncing mechanism between iOS, Mac OS X and Apple servers. Consumer cloud services like iCloud, by their nature, require records of delete requests to remain accessible for stretches of time, as users may have devices turned off that need to come alive again before they can sync and remove the browsing history. Apple’s oversight was not in keeping that feature running, according to the forensics expert, but in failing to properly hide the data from probing tools like Elcomsoft with encryption.
Jay Stanley, senior policy analyst at the American Civil Liberties Union (ACLU), said companies had to be very careful to follow best practise and delete users’ data when requested. “Overall, assuming this was a mistake, it’s a reminder that storing and retention of data is the default as a technical matter,” Stanley said.
“Browsing history is a very sensitive set of data. It reveals people’s interests, concerns, worries and in many cases their every fleeting thought, as well as health information, information on their sexuality.
“It’s vital that people are able to trust that they can be in control of that kind of information. It’s one reason we advise using search tools that don’t store your history.”
There’s no evidence law enforcement has been able to access such data, if the feds even knew they could get it in the first place. And remote attacks by criminals would be difficult: Phone Breaker requires the hacker to have access to a target’s iCloud login credentials or an authentication token stored on the victim device. Katalov’s disclosure, ironically, will also lead to the imminent redundancy of the very Phone Breaker feature that came from his discovery, which only went live this morning.
Not that he appears that bothered. “Money is not the main thing we work for,” said Katalov, in our email correspondence. “But we are still going good. There are enough features in our products that are quite useful for many customers, from consumers to law enforcement, that do not rely on vulnerabilities. And finally, quite a lot of research is in progress – we will always find something new.”
Elcomsoft is best known not for aiding any law enforcement activity, but for a salacious episode in the history of Apple hacks: reports alleged it was used by snoops who stole celebrities’ nude pictures stored in the iCloud. The so-called “Fappening” attacks saw images belonging to the likes of Jennifer Lawrence and Kate Upton leaked online, and the perpetrators sentenced to prison.
Apple in patch mode… and an easy fix
Apple declined to comment on Elcomsoft’s findings.
But a source with knowledge of the matter told me Apple has updated iOS and Safari to make it harder. Starting with Safari 9.1 and iOS 9.3, when users delete browsing history, the URLs are turned into hashes — that’s when plaintext is represented by a collection of digits and letters after being put through an algorithm. That goes some way to stopping any potential snoops looking at the data, though it hasn’t prevented Elcomsoft’s tool from grabbing the information from the latest versions of Safari.
Expect Apple to continue plugging holes that Elcomsoft finds, though, as it has done with other recent public disclosures by Katalov. In cases such as this, the user won’t need to do a thing, as the fixes will be done on Apple’s servers. Nevertheless, as the Cupertino giant recommends, using the most recent software versions will keep customers’ safer from privacy invasions.
In the meantime, it’s possible to turn Safari syncing off to avoid the problem altogether. Apple has a good guide about how to turn iCloud features on and off here.
Got a tip? Email at TFox-Brewster@forbes.com or firstname.lastname@example.org for PGP mail. Get me on Signal on +447837496820 or email@example.com on Jabber for encrypted chat.