A long-known flaw in Safari's implementation of private browsing that saves the address of each and every website users visit to a file on their local drive, even after closing private browsing windows and quitting Safari, is still present in the latest pre-release versions of OS X Yosemite.
The bug manifests itself as part of Safari's cache mechanism for favicons, the small pictures that appear beside web addresses in the URL bar, bookmarks, and the favorites view. The favicon and accompanying web address for every visited site — Â including those opened in a private browsing window — Â are stored in an SQLite database within the user's home folder.
This database, located at ~/Library/Safari/WebpageIcons.db
, is not encrypted or obfuscated in any manner.
Issues with improper data retention in Safari's favicon database have been known for years, but were pointed out again by AppleInsider reader @tylerc on Friday. A 2013 article on forensic browser analysis published in the EURASIP Journal on Information Security found that "the easiest way to view the browsing history for Safari private browsing sessions was to locate the 'WebpageIcons' database under Safari artifacts."
"This database provided a good log of every visited URL along with other pertinent information," authors Donny J Ohana and Narasimha Shashidhar concluded.
Tests conducted by AppleInsider on OS X Yosemite 10.10.3 build 14D98g, released to developers earlier this week, confirm that the flaw remains unaddressed. Trashing the WebpageIcons.db
file, re-launching Safari, and visiting a web page in private browsing mode logs that visit to the database, and the data persists following a browser reboot.
The relatively easy accessibility of this information could pose problems not just for users whose computers have been compromised by malware or other targeted attacks, but even for those who share their computer with friends or significant others. By reading the database, an operation trivially performed with any of a variety of easy-to-obtain tools, information that users thought was safe could be extracted and used against them.
Until the problem is addressed, users can clear the data held in WebpageIcons.db
manually by using the "Clear History and Website Data..." dialog found in the Safari menu, or by dragging the ~/Library/Safari/WebpageIcons.db
file to the trash, forcing Safari to recreate it.
46 Comments
Ouch! Apple should really not be falling prey to this sort of mis-step.
Oh. Yeah, I knew that. I ran into it when restoring 10.10.1 to my laptop to see if that would fix the Wi-Fi problem that popped up for four days and went away immediately after (it didn’t fix it; it went away on its own).
I figured it was iCloud saving every single URL, given that it has to sync it all between all your devices. But it’s local? Okay. Of course iCloud DOES save all your URLs, but to know it’s local is… I dunno, what? It’s annoying if you ever have to restore, but beyond that what’s there to say?
iCloud shouldn't be syncing tabs from private browsing windows anyway. And iCloud enabled or not, Safari shouldn't leave any permanent traces on the disk from private windows. The whole point of private browsing is to prevent the history from being saved. But Safari is saving all of the history from them, indefinitely, in an easily-read file. This bug is pretty egregious.
There's a typo in the heading. It should read Chrome not Safari. ;)
Drag and drop text over safari's icon, gets a crash unless the text is editable a url or a text snipet. It is a very long time bug in safari or in texts...