At some point between Version 6.2.2 and Version 8.0.3, Apple has accidentally jettisoned private browsing in Safari.
As described by Macissues, users of recent Safari versions on the newest flavours of OSX are finding that so-called “private” URLs are turning up in the SQLite database that stores Favicons.
In other words, if your significant other looks through the Safari history, he/she/lizard person of indeterminate gender won't notice that you visited 50 Shades of Gecko at 2:00AM. However, the site's URL will turn up in /<user>/Library/
Safari/WebpageIcons.db, which can be opened with trivial ease using free software like SQLite Browser or SQLite Studio.
Here's how the URL database appears.
All good: Safari 6.2.2 doesn't bork private browsing
In a spirit of journalistic investigation, Vulture South decided to make sure the fault was reproducible before writing this story, and that's how we can tell you that the privacy fail is of moderately recent origin.
On the machine running the older version of Safari, ditching the WebpageIcons.db file and testing what it stored in private and non-private mode showed it doing exactly what it should. URLs from the private browsing session were not stored.
Moving onto the nearly out-of-the-box unit next door with the Version 8 build of Safari, the fault reported at Macissues turned up exactly as reported on that site. ®
Oh dear ... Facebook was supposed to be a private session on Safari 8.0.3
- Apple M1
- Black Hat
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Identity Theft
- Palo Alto Networks
- Tim Cook