Mike Wuerthele
iCloud-stored Safari browser history was discovered to be stored on iCloud and accessible by an update to a newly-updated forensics data gathering suite for over a year even after deletion — but Apple has already taken steps to rectify the problem.
First reported by Forbes, security researchers at Elcomsoft discovered that Apple was retaining an iCloud record that kept deleted web history "by accident." Using software developed by Elcomsoft only released today, researcher Vladimir Katalov downloaded his own data, and discovered records going back to Nov. 2015.
Other information retrievable by the forensics tool on an iCloud-synced iPhone with Safari history retention turned on, were full Google search terms back to 2015, and "cleared" Notes for the last 30 days.
According to an unnamed forensics expert contacted by Forbes separate from Elcomsoft, the retention isn't malicious. The second expert noted that the failure by Apple was related to preventing the data from being read by forensics tools like Elcomsoft Phone Breaker and not an outright failure to delete the information, as the data needs to be retained for a while by iCloud to properly sync changes across devices.
Forensics tools like the tool used to examine the iCloud data still requires access to a target's iCloud credentials, or the unlocked device itself to get at the Safari and Google information. Also, users choosing to not sync Safari data to iCloud are unaffected, as are private browsing sessions.
The same Elcomsoft iPhone forensics tool used to probe iCloud data on Thursday was reportedly used in the celebrity data thefts from 2014.
Shortly after initial publication of the security and privacy problem, Forbes was contacted by Elcomsoft and another source, noting that old records were being removed as a result of Apple taking swift action on the matter.
Katalov was at the core of the discovery in Nov. 2016 finding that phone numbers dialed on an iPhone were being retained. Apple has since dealt with that as well.
At the time of the phone number data retention, AppleInsider was provided with a statement by Apple, suggesting that users "select strong passwords and use two-factor authentication," which would have prevented data from being harvested in Thursday's exploit, had it not been rectified by Apple.
Sponsored Content
Wesley Hilliard
AppleInsider Staff
Andrew Orr
Amber Neely
William Gallagher
10 Comments
Pretty normal for a data participating in a synchronisation system to never be deleted, because the fact the information was deleted needs to be stored so that any future clients coming on line can receive the update. The notes app never really deletes any notes from its local database either and thus likely never from the server.
I'm surprised there isn't an avalanche of articles screaming bloody murder after Forbes published this story. When I read the Forbes story I expected the author to not explain how iCloud synchronization worked in an attempt to explain why Apple might keep data for a while. As expected the author did not explain.
Oh my Apple is keeping my data so I can use it across multiply devices, shame on them for hanging on it until it really not needed anymore. And shame on them limiting access to only the user who created the information.
Basically a non-story and time to move on. My note be fake news, but it is fake controversy for sure. The media does not like the fake-news tag line since all new is real to them, but they do spend lots of time tying to make unimportant things, more important than they need to be.
It's the user who chooses, and actively uh... 'activates' this feature in the first place.
The information is 'supposed' to be stored. If I didn't want it stored, I wouldn't have turned it on.
Ditto the above comments - If I was worried about how long Apple stored the data (or about Apple storing the data at all) I wouldn't activate it.
As a reminder to people, you can activate private browsing in iOS by tapping the tabs button and then tapping 'Private' in the lower left corner.
https://support.apple.com/en-us/KM205106?cid=acs::applesearch