When you click "delete" on your Mac's Safari browsing history, you expect those records to be expunged forever, right? Well, new research from a forensics firm has alleged a browser "syncing" feature used by Apple was causing iCloud to store such records for over a year.
According to Russia-based computer analytics firm Elcomsoft, deleting your history does indeed make the records vanish from synced devices using the same Apple ID. Yet crucially, if stored in the cloud, they continued to remain available to Apple's servers for months.
To probe further, the firm, which sells software used by governments and companies to break into devices, updated one of its iPhone cracking tools, dubbed PhoneBreaker, to extract records previously assumed to have been banished to the annals of history.
As noted in a blog post, it was then able to pull a slew of Safari browsing data including the exact dates and times each record was visited and deleted.
"Once you delete a record on one device, it will disappear on all other devices in a matter of seconds or minutes, provided that those devices are connected to the internet," wrote Vladimir Katalov, Elcomsoft's CEO.
"While those records can be retained for technical reasons, a flush or clean-up will purge them sooner or later. However, those same records will be kept in Apple iCloud for much longer," he continued. "In fact, we were able to access records dated more than one year back.
"The user does not see those records and does not know they still exist on Apple servers."
Katalov told Forbes he came across the mysterious system by accident after testing his firm's tools on his own iPhone history and linked iCloud account. Katalov found his browsing records were not only still existing, but going back a full 12 months.
Forbes tested the claim by clearing a Safari history and running PhoneBreaker on the account. Eventually it successfully uncovered thousands of records previously thought to have been deleted – including date and time the history item was deleted and even data about Google searches.
A second expert later helped validate the research, running the same experiment to recover over 125,000 browsing history records going back again to 2015. Despite the concern, experts have suggested the issue is not believed to have malicious intent.
Instead, it appears the records are kept – albeit in a secretive way – to ensure data is able to be properly synchronised between iOS, Mac and Apple servers over time. The second security expert told Forbes enhanced encryption would help keep the data from prying eyes.
And according to 9to5Mac, citing "sources familiar with the situation", Apple has done just this. The firm reportedly fixed the issue of plain-text data being accessible using this cracking technique in iOS 9.3, meaning the majority of users who have updated will not be affected.
But for unpatched devices, Elcomsoft said the discovery could have "significant" forensic implications. "Unlike cloud backups that are created daily at best, iCloud sync works nearly in real-time. Being able to track suspect's activities almost no delay can be invaluable for surveillance," Katalov said.
The purge begins
Apple has not yet publicly responded to the research, yet Elcomsoft said reports have surfaced that indicate the firm has actively started to "purge" these older records. Katalov said: "[It] could be just moving them to other servers, making deleted records inaccessible from the outside.
"Either way, as of right now, for most iCloud accounts we can see history records for the last two weeks only (deleted records for those two weeks are still there though). Good move, Apple. Still, we would like to get an explanation."
Of course, if you want to be sure the issue will not affect you it is possible to simply turn the Safari syncing option off altogether. This is not the first time Elcomsoft research has had Tim Cook's tech giant in its crosshairs. Last November, it released analysis claiming iPhones were sending call logs in real time to Apple's servers, even when iCloud backup was switched off.
Apple later fixed the issue.
IBTimes UK contacted Apple for comment however recieved no response at the time of publication