So it appears that beta 2 of iOS 8 does not properly clear browsing data when you click the “Clear History and Website Data” setting within Safari options.
In the screenshot above you can see the setting, but when used you can still browse to your Safari history and view it in its entirety, as seen in the screenshot below.
Issues like this are becoming magnified in severity due to synchronization features within browsers. Safari and Chrome, for example, can synchronize your history and other browser data from your phone to your tablet and desktop.
The issue above was confirmed to be the case with iOS 8 and OS X Yosemite. I opened a number of sites on my iCloud-connected iPad, cleared my browser data using the feature above, and then was able to pull that same data up on my Yosemite desktop later.
So it’s not just that the data clearing didn’t work; it’s also that the data that was expected to be cleared was propagated to all connected devices.
This is bad for obvious reasons: someone can potentially be doing something sensitive on their phone or tablet, not realizing that this information is being propagated to all other (potentially shared) devices that they use. This is compounded by the fact that clearing the history using the built-in explicit feature for doing so doesn’t work.
If you’re using iOS 8, just keep it in mind while Apple addresses the issue.
- If this had been an actual vulnerability and not just an “oh, they should fix that post-beta”, I would have used a disclosure process.