Before web browsers embraced private windows, clearing their history was something of a technological rite of passage. Embarrassing searches? Gone. Porn? Never heard of it. But now ElcomSoft has revealed that it's possible to retrieve deleted history from Apple's Safari browser from iCloud. Whoops.
The digital forensics company said browser history is stored in iCloud if people choose to sync their Safari tabs across multiple devices. (The browser is available on Mac, iPhone, and iPad.) "While researching this sync, we discovered that deleting a browsing history record makes that record disappear from synced devices," ElcomSoft CEO Vladimir Katalov explained in a blog post. "However, the record still remains available (but invisible) in iCloud."
Katalov said these hidden records can be stored on iCloud for up to a year. ElcomSoft was also able to "pull additional information about Safari history entries including the exact date and time each record was last visited and deleted." The company, which assists law enforcement with retrieving information from electronic devices, has updated its ElcomSoft Phone Breaker tool with the ability to grab all of this hidden information from iCloud.
Here's how Katalov said this could prove useful to law enforcement:
Forensic use of synced data is hard to underestimate. Unlike cloud backups that are created daily at best, iCloud sync works nearly in real-time. Being able to track suspect’s activities almost no delay can be invaluable for surveillance and investigations.
Since deleting browsing history from iCloud is nearly impossible for the user, discovering illicit activities becomes much easier. Experts will be able to recover visits to extremist and other illicit Web sites even if the suspect deletes their browser history or wipes their iPhone.
The method did require access to someone's iOS device--setting up a new device wouldn't carry over "deleted" records--and access to someone's Apple ID. ElcomSoft does offer tools that help law enforcement extract authentication tokens from devices (thus removing the need to either know someone's login credentials or try to brute-force them) but the barriers to entry should make it difficult to exploit this problem on a large scale.
Katalov said that ElcomSoft informed the media about this problem before disclosing it to the public. After it did so, the company noticed a change:
Update: we have informed media about this issue in advance, and they reached Apple for comments. As far as we know, Apple has not responded, but started purging older history records. For what we know, they could be just moving them to other servers, making deleted records inaccessible from the outside; but we never know for sure. Either way, as of right now, for most iCloud accounts we can see history records for the last two weeks only (deleted records for those two weeks are still there though).
Good move, Apple. Still, we would like to get an explanation.
If Apple has fixed this issue, people should be able to sync their Safari tabs without fear. Anyone worried about law enforcement digging through their browsing history, however, should probably turn off that feature. Which is worse: not having easy access to a few tabs, or a secret browser history?