Apple appears to have been keeping deleted browser history in users' iCloud accounts, for as long as a year, according to Vladimir Katalov, CEO of ElcomSoft, a company that makes forensics and data recovery tools for Apple products.
The flaw came to light during the past week but appears to have been fixed in the meantime, even if Apple hasn't publicly acknowledged the behavior.
According to Katalov, his company's software, which retrieves backups from iCloud accounts, was able to extract browser history files from iCloud backups going back as early as a year.
Following Katalov's public disclosure, hours later, ElcomSoft researchers noted that Apple addressed the issue, and they were only able to retrieve two-weeks-old (deleted) browser history details.
Apple never explained the steps it took to remediate the issue, so nobody knows if this was intentional behavior or just a bug.
Safari, just like most browsers, saves browsing history inside an SQLite database, known to have issues when rewriting and deleting files. The prime suspect is a database file lock that might have prevented iCloud from deleting older files.
Last month, Dropbox fixed a similar delete bug that kept users' deleted files around for as long as eight years.
In November 2016, the same ElcomSoft team discovered that iPhones were sending a history of all calls to Apple's iCloud service, and there was no way to block the syncing operation from taking place.
Two months earlier, in September, ElcomSoft also discovered that Apple added an alternative password verification mechanism for iTunes backups in iOS 10 that was 2,500 times weaker than the one used in iOS 9. This was eventually fixed in a subsequent iOS 10 update.