This morning, a Russian forensics firm named Elcomsoft announced a way to extract years’ worth of web browsing records from Apple’s iCloud storage system, a method first reported by Forbes. Those records included site names, URLs, and when a given site was visited. Cleared browsing records are also visible in the records, although they are marked as “deleted” in the table. Mobile browsing records are also visible, although the sites themselves appear to be hashed in the most recent versions of iOS.
Elcomsoft did not disclose the new method to Apple, but the company responded quickly once news of the bug became public. Within hours of the Forbes report, a server-side fix began to stop the retrievals, apparently deleting all records older than two weeks. Elcomsoft acknowledged the change in a blog post. “Good move, Apple,” an update said. “Still, we would like to get an explanation.”
iCloud used the records to sync browser histories across different devices, a central feature of Safari. Clearing your browsing history on a Mac will also clear it on phones and tablets linked through iCloud, even if the devices are powered down when the request is made. That function typically requires a record that a given site has been visited and cleared. Still, Elcomsoft found those records stored in unhashed form, as far back as November 2015, making them ripe for forensic analysis.
Unlike most iCloud data, the records don’t seem to have been accessible to law enforcement requests. Apple declined to comment when reached by The Verge.