Have you ever tried to delete your browsing history on your iPhone or iPad, but some items just refused to disappear? You’re not alone. This seemingly small issue was actually a real vulnerability and was cataloged as CVE-2023-42951 by Apple. In this article, we’ll break down what happened, how it worked, and what was done to fix it. If you’re running iOS or iPadOS, this is something you’ll want to know.
What is CVE-2023-42951?
CVE-2023-42951 is a vulnerability that affected the Safari browser (and other apps using WebKit) on iOS and iPadOS devices. Specifically, users experienced a bug where certain browsing history items could not be deleted, even after they tried to wipe them from their device.
This was not just a cosmetic issue—your device could retain records of sites you visited, which is a privacy concern.
Apple’s advisory:
> “A user may be unable to delete browsing history items. The issue was addressed with improved handling of caches. This issue is fixed in iOS 17.1 and iPadOS 17.1.”
(Apple Security Updates)
How Did the Bug Work?
The root of the problem came from how the browser *cached* history items. Normally, when you visit sites, Safari (and WebKit-based browsers) store pages in a cache to make reloading quicker. When you ask to delete your history, the browser is supposed to clear both the visible history and any cached information.
But with CVE-2023-42951, some history items remained stuck in the cache. So, even if you deleted your history through Settings or within the browser, these cached entries could still be accessed programmatically or might reappear later.
Technical Details (Simplified)
The main issue was that the browser’s deletion routines did not reach into every type of cache. In JavaScript terms, imagine the following:
// Pseudocode representation:
function deleteHistory(url) {
historyDatabase.delete(url); // Deletes main history
// But forgot to delete from cache!
// cache.delete(url); // <-- This was missing
}
Because the cache wasn’t cleared, leftover history entries lingered.
Exploit Details
Was this issue exploitable?
Technically, yes, but only in a limited way. An attacker who had access to your unlocked device could potentially recover URLs you thought you had deleted. This is a privacy issue—not a full-blown security breach, but annoying and concerning.
Demonstrating the Behavior
Suppose you deleted your history. With the bug present, a script (run in Safari or another app that uses WebKit) could check for cached data like so:
// This JavaScript snippet checks cached data:
if ('caches' in window) {
caches.keys().then(function(keys) {
keys.forEach(function(key) {
caches.open(key).then(function(cache) {
// Does the cache still have the site you 'deleted'?
cache.match('https://example.com';).then(function(response) {
if (response) {
console.log('History not fully deleted!');
}
});
});
});
});
}
This isn’t the exact inner mechanism, but it demonstrates how cache APIs could reveal supposedly deleted information if the cache is left untouched.
How Did Apple Fix It?
Apple addressed the issue in iOS 17.1 and iPadOS 17.1 by making sure the browser’s deletion routines fully wiped related cache entries when the user asked to clear history. In other words, they added the missing cleaning step:
function deleteHistory(url) {
historyDatabase.delete(url); // Deletes main history
cache.delete(url); // NEW: Also deletes from cache
}
Official Patch Link
- Apple Security Update for iOS 17.1 and iPadOS 17.1
- CVE Details page for CVE-2023-42951
What Should You Do?
- Update your device. If you haven’t already, get iOS/iPadOS 17.1 or later.
- Clear your history again, just to be safe. Now that the fix is in place, this will actually clear all traces.
- If you use private browsing or sensitive browsing sessions, always update to get the latest privacy fixes.
Conclusion
CVE-2023-42951 is a great example of why software maintenance matters—even a simple bug in handling caches can compromise user privacy. Apple’s fix in iOS/iPadOS 17.1 closes this loophole, but it’s a reminder to always keep your devices up to date and aware of security bulletins.
Stay safe, stay private!
References
- Apple Security Updates: iOS 17.1 and iPadOS 17.1
- CVE-2023-42951 at MITRE
- WebKit Bug Tracker
Timeline
Published on: 02/21/2024 07:15:51 UTC
Last modified on: 11/08/2024 17:35:11 UTC