Mobile

Apple’s iCloud saved the deleted Safari browsing history over the years

According to the Russian forensic firm Elcomsoft the Apple iCloud saved deleted Safari browsing history over the years open the door to surveillance.

According to digital forensics firm Elcomsof, Apple iCloud maintained deleted internet Safari browsing history over the years. The experts at Elcomsof discovered the issue while trying to extract records from iCloud accounts, they were able to retrieve supposedly deleted Safari browser histories from the accounts. The researchers were able to pull information such as the date and time the website was visited and when the record was deleted.

Safari history is synced across the devices used by a specific iCloud account. When the user deletes a record on one device, it will disappear on all other devices in a few seconds when the devices are connected to the Internet.

Users can set iCloud to store their browsing history, in this way it will be available from all the user’s connected devices. The researchers discovered that even if the user deletes the history, iCloud doesn’t actually erase it but keeps it in a format invisible to the user.

“However, those same records will be kept in Apple iCloud for much longer. In fact, we were able to access records dated more than one year back. The user does not see those records and does not know they still exist on Apple servers.” reads a blog post published by the Elcomsoft’s CEO Vladimir Katalov. 

“In fact, we were able to access records dated more than one year back,” 

The experts used the Elcomsoft Phone Breaker forensic tool to extract files from an iCloud account.

How does it work?

In order to extract Safari history from iCloud it is necessary to be authenticated into the user’s Apple ID. The operation can be carried on using login credentials or by using an authentication token extracted from the user’s computer. The authentication tokens are automatically created by iCloud Control Panel on Windows and Mac computers that were synced with iCloud.

The Elcomsoft Phone Breaker can be used by experts to extract iCloud authentication tokens.

“By using the token to log in, you’ll bypass both the password and the secondary authentication prompt if two-factor authentication is enabled on the user’s account. As a result, iCloud access alert will not be delivered to the user.” states the post.

Below the procedure to extract Safari browsing history from iCloud with Elcomsoft Phone Breaker:

  • Launch Elcomsoft Phone Breaker 6.40 or newer
  • Click “Download Synced Data from iCloud”
  • Authenticate with Apple ID/password or binary authentication token
  • Specify everything you’d like to download. Make sure to check “Safari”

The forensic implication of the discovery is serious because it implies the possibility to conduct surveillance activity as explained in the post.

“Forensic use of synced data is hard to underestimate. Unlike cloud backups that are created daily at best, iCloud sync works nearly in real-time. Being able to track suspect’s activities almost no delay can be invaluable for surveillance and investigations.” states Katalov.

“Since deleting browsing history from iCloud is nearly impossible for the user, discovering illicit activities becomes much easier. Experts will be able to recover visits to extremist and other illicit Web sites even if the suspect deletes their browser history or wipes their iPhone.”

Keeping a copy of a user’s browser history can certainly be “invaluable for surveillance and investigations,” Katalov said. But it’s unclear if Apple knew that its iCloud service was storing the deleted records.

Apple didn’t immediately respond to a request for comment, but experts from Elcomsoft noticed that after they disclosed the issue, Apple started “purging” older browser history records from iCloud.

we have informed media about this issue in advance, and they reached Apple for comments. As far as we know, Apple has not responded, but started purging older history records. For what we know, they could be just moving them to other servers, making deleted records inaccessible from the outside; but we never know for sure. Either way, as of right now, for most iCloud accounts we can see history records for the last two weeks only (deleted records for those two weeks are still there though).” states the blog post. But now only deleted records as old as only two weeks can be extracted, the forensic company said.

Elcomsoft suggests disabling the syncing of Safari browsing history from iCloud.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – iCloud ,Safari browsing history)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Millions of SK Telecom customers are potentially at risk following USIM data compromise

SK Telecom warned that threat actors accessed customer Universal Subscriber Identity Module (USIM) info through…

9 hours ago

Abilene city, Texas, takes systems offline following a cyberattack

Abilene, Texas, shut down systems after a cyberattack caused server issues. IT staff and experts…

21 hours ago

Japan ’s FSA warns of unauthorized trades via stolen credentials from fake security firms’ sites

Japan ’s Financial Services Agency (FSA) warns of hundreds of millions in unauthorized trades linked…

22 hours ago

Kimsuky APT exploited BlueKeep RDP flaw in attacks against South Korea and Japan

Researchers spotted a new North Korea-linked group Kimsuky 's campaign, exploiting a patched Microsoft Remote…

1 day ago

New sophisticate malware SuperCard X targets Androids via NFC relay attacks

‘SuperCard X’ - a new MaaS - targets Androids via NFC relay attacks, enabling fraudulent…

2 days ago

Russia-linked APT29 targets European diplomatic entities with GRAPELOADER malware

Russia-linked group APT29 targeted diplomatic entities across Europe with a new malware loader codenamed GRAPELOADER.…

2 days ago

This website uses cookies.