iCloud-stored Safari browser history was discovered to be stored on iCloud and accessible by an update to a newly-updated forensics data gathering suite for over a year even after deletion -- but Apple has already taken steps to rectify the problem.
by Forbes, security researchers at Elcomsoft discovered that Apple was retaining an iCloud record that kept deleted web history "by accident." Using software developed by Elcomsoft only released today, researcher Vladimir Katalov downloaded his own data, and discovered records going back to Nov. 2015.
Other information retrievable by the forensics tool on an iCloud-synced iPhone with Safari history retention turned on, were full Google search terms back to 2015, and "cleared" Notes for the last 30 days.
According to an unnamed forensics expert contacted by Forbes separate from Elcomsoft, the retention isn't malicious. The second expert noted that the failure by Apple was related to preventing the data from being read by forensics tools like Elcomsoft Phone Breaker and not an outright failure to delete the information, as the data needs to be retained for a while by iCloud to properly sync changes across devices.
Forensics tools like the tool used to examine the iCloud data still requires access to a target's iCloud credentials, or the unlocked device itself to get at the Safari and Google information. Also, users choosing to not sync Safari data to iCloud are unaffected, as are private browsing sessions.
The same Elcomsoft iPhone forensics tool used to probe iCloud data on Thursday was reportedly used in the celebrity data thefts from 2014.
Shortly after initial publication of the security and privacy problem, Forbes was contacted by Elcomsoft and another source, noting that old records were being removed as a result of Apple taking swift action on the matter.
Katalov was at the core of the discovery in Nov. 2016 finding that phone numbers dialed on an iPhone were being retained. Apple has since dealt with that as well.
At the time of the phone number data retention, AppleInsider was provided with a statement by Apple, suggesting that users "select strong passwords and use two-factor authentication," which would have prevented data from being harvested in Thursday's exploit, had it not been rectified by Apple.