In unnerving news, Forbes reported that your web browser history in Safari gets stored in iCloud, even if you deleted it. Using a tool called Phone Breaker, a security analyst accidentally discovered an iCloud record called “tombstone,” and this is where Apple stores the deleted history.
Browser History From The Grave
A Russian company called Elcomsoft created Phone Breaker. CEO Vladimir Katalov said Apple stored browser history as far back as a year, and possibly even longer.
Forbes writer Thomas Fox-Brewster used Phone Breaker on his own iCloud account. It gave him a total of 7,000 records that were supposed to be deleted. It displayed a visit count and the date and time the item was deleted (Apple’s term is cleared, not deleted). Also visible in the tool were the full terms of Google searches.
An iOS forensics expert was even called onto the scene to back up Vladimir Katalov’s claims. The person, who remains anonymous, found the Phone Breaker had recovered 125,203 browsing records in their account. Both Thomas and the forensics expert found the records went back to a date in November 2015.
Risks and Details
So far, it seems as if law enforcement hasn’t been able to access this data. And the records are inaccessible even from remote attacks by hackers. When a person uses Phone Breaker, it requires them to have the target’s iCloud credentials or an authentication token on their device.
What About Apple?
Apple hasn’t made an official comment on the matter, but that doesn’t mean the company is standing still. An insider told Forbes that with Safari 9.1 and iOS 9.3 and later, when a person deletes browser history, the URLs get turned into hashes. This prevents anyone from knowing which websites you’ve visited.
Additionally, Vladimir Katalov found that after the Forbes article was published, their browsing records had disappeared. So it could be that Apple is taking action.
Vladimir Katalov, CEO of Elcomsoft, offered some clarification saying he researched and read iOS release notes, but he couldn’t find information saying that this issue was fixed with Safari 9.1/iOS 9.3.
Elcomsoft tested its software on iOS 9.3, as well as all of the iOS 10 releases (10.0, 10.1, 10.2 and the 10.3 beta). Having your browsing history saved to iCloud doesn’t depend on the iOS version.
Vladimir also said that he couldn’t find a relationship between hashing the URL after deletion and the way the data is stored in iCloud. Elcomsoft didn’t analyze delete requests, only the synced data in iCloud. Apple encrypts this data in the cloud, but also stores the encryption keys alongside it, rendering the concept of security moot.
For the actual records, the information displayed is date/time, page title and URL. For “deleted links, only two data points are stored. One is the normal information as stated above, and the other is a duplicate, but with the “tombstone” tag attachment. So there are no hashes.