iPhone

Apple appears to have been keeping deleted browser history in users' iCloud accounts, for as long as a year, according to Vladimir Katalov, CEO of ElcomSoft, a company that makes forensics and data recovery tools for Apple products.

The flaw came to light during the past week but appears to have been fixed in the meantime, even if Apple hasn't publicly acknowledged the behavior.

According to Katalov, his company's software, which retrieves backups from iCloud accounts, was able to extract browser history files from iCloud backups going back as early as a year.

Apple quietly addressed the issue

Apple allows users to sync Internet browser history to iCloud accounts, so users can access previously visited sites on different devices. According to Apple's privacy policy, the company says it also stores deleted browser histories, but no longer than 30 days.

Following Katalov's public disclosure, hours later, ElcomSoft researchers noted that Apple addressed the issue, and they were only able to retrieve two-weeks-old (deleted) browser history details.

Apple never explained the steps it took to remediate the issue, so nobody knows if this was intentional behavior or just a bug.

Server bug is the most likely explanation

Safari, just like most browsers, saves browsing history inside an SQLite database, known to have issues when rewriting and deleting files. The prime suspect is a database file lock that might have prevented iCloud from deleting older files.

Last month, Dropbox fixed a similar delete bug that kept users' deleted files around for as long as eight years.

In November 2016, the same ElcomSoft team discovered that iPhones were sending a history of all calls to Apple's iCloud service, and there was no way to block the syncing operation from taking place.

Two months earlier, in September, ElcomSoft also discovered that Apple added an alternative password verification mechanism for iTunes backups in iOS 10 that was 2,500 times weaker than the one used in iOS 9. This was eventually fixed in a subsequent iOS 10 update.

Related Articles:

macOS Breaks Your OpSec by Caching Data From Encrypted Hard Drives

Criptext Announces New Email Client With Focus on Your Privacy

Open MongoDB Database Exposes Mobile Games Money Laundering Operation

CCleaner v5.45 Pulled Due to Anger Over Usage Data Collection

Funny Google Chromebook Ad Mocks Windows and macOS Operating Systems