Apple fixes iCloud glitch which stored your ‘deleted’ browsing history

Deleted Safari browsing histories were kept for well over a year

Apple has been storing Safari browsing histories in iCloud, even after they’ve been ‘deleted’ by the user, with such records being kept going back to 2015 – although apparently this was an accidental by-product of the way the cloud syncing system works rather than anything malicious, and the issue has now been fixed.

This information first came to light in a Forbes report, which cited Vladimir Katalov, the chief executive of Elcomsoft, a Russian security firm (which focuses on password/system recovery).

Katalov stumbled onto the issue when reviewing the browsing history on his iPhone, when he discovered his supposedly deleted surfing history still present in iCloud, being able to extract it by using his company’s Phone Breaker tool.

Forbes itself replicated this discovery, finding their own surfing records going back to November 2015 (including Google searches of which the terms used were fully visible).

Another anonymous security expert Forbes enlisted to further verify these claims also found deleted Notes in the cloud, as well, although these only went back a month.

Syncing feeling

According to the report, this wasn’t Apple engaging in anything underhand snooping-wise, rather the browsing history was being maintained accidentally, probably as a result of the way syncing data works across iOS, Mac and Apple servers.

Of course, it’s still a worry that the use of Elcomsoft’s Phone Breaker utility allowed for getting hold of such data (although malicious parties would still need access to the login of the iCloud account in question to strip the browsing history).

At any rate, Apple has moved pretty quickly here, and while not having made any official comment, the company has patched iOS and Safari to hash deleted browser URLs. Also, Katalov (and a second source) have said that their retained browsing histories have since disappeared from iCloud, indicating the Apple is clearing out all the old data so it’s properly deleted and unobtainable.