iPhone

Apple appears to have been keeping deleted browser history in users' iCloud accounts, for as long as a year, according to Vladimir Katalov, CEO of ElcomSoft, a company that makes forensics and data recovery tools for Apple products.

The flaw came to light during the past week but appears to have been fixed in the meantime, even if Apple hasn't publicly acknowledged the behavior.

According to Katalov, his company's software, which retrieves backups from iCloud accounts, was able to extract browser history files from iCloud backups going back as early as a year.

Apple quietly addressed the issue

Apple allows users to sync Internet browser history to iCloud accounts, so users can access previously visited sites on different devices. According to Apple's privacy policy, the company says it also stores deleted browser histories, but no longer than 30 days.

Following Katalov's public disclosure, hours later, ElcomSoft researchers noted that Apple addressed the issue, and they were only able to retrieve two-weeks-old (deleted) browser history details.

Apple never explained the steps it took to remediate the issue, so nobody knows if this was intentional behavior or just a bug.

Server bug is the most likely explanation

Safari, just like most browsers, saves browsing history inside an SQLite database, known to have issues when rewriting and deleting files. The prime suspect is a database file lock that might have prevented iCloud from deleting older files.

Last month, Dropbox fixed a similar delete bug that kept users' deleted files around for as long as eight years.

In November 2016, the same ElcomSoft team discovered that iPhones were sending a history of all calls to Apple's iCloud service, and there was no way to block the syncing operation from taking place.

Two months earlier, in September, ElcomSoft also discovered that Apple added an alternative password verification mechanism for iTunes backups in iOS 10 that was 2,500 times weaker than the one used in iOS 9. This was eventually fixed in a subsequent iOS 10 update.

Related Articles:

Apple's New Data & Privacy Portal Lets You Download Your Data

Apple Releases Security Updates for iOS and iCloud, Fixes Passcode Bypass

macOS Mojave Privacy Bypass Flaw Allows Access to Protected Files

iOS 12 Patches Memory Bugs, Safari 12 Fixes Data Leaks

Apple Launches iPhone XR, iPhone XS, iPhone XS Max and Watch Series 4