Categories
iCloud News security

Security researcher finds unsaved files are automatically saved into iCloud

icloudicon

This may not be what Apple intended to have happen with iCloud.

And there may be a patch coming for it posthaste.

According to Slate, security researcher Jeffrey Paul recently noticed that Apple’s default autosave is storing in-progress files—the ones you haven’t explicitly saved yet—in the cloud, not on your hard drive. Unless you decided to hit save before you start typing, or manually changed the default settings, those meeting notes, passwords, and credit card numbers you jotted down in “Untitled 17” are living in iCloud.

Although this issue seems to be a recent phenomenon, it appears that it’s been happening since at least December of 2013, according to Apple’s Knowledge Base, and it doesn’t just affect TextEdit, but also Preview, Pages, Numbers, and Keynote. Hopefully there wasn’t anything sensitive on those screenshots, spreadsheets, presentations, and documents you haven’t yet saved, or you were using other programs. Luckily, Word for Mac files don’t seem to be affected in this way.

You can turn off this surreptitious feature in Documents & Data —> Apple —> System Preferences —> iCloud —> Documents & Data, or you can save your empty file before you even start typing. But that’s not really the point. The problem is that users intuitively expect their in-progress documents to be saved locally, but these files are being stored on the Cloud instead.


“It’s a behavior nobody expects,” says Matthew D. Green, a research professor teaching applied cryptography at Johns Hopkins University Information Security Institute.* “I’m fine with things that I haven’t saved being stored on the hard disk. I’m OK with that. I think it’s a nice feature. But things that I haven’t explicitly put on in the Cloud getting snuck onto the Cloud is a bizarre feature.”

Although it seems that the feature has been around for a while, Green says most people haven’t noticed: It’s not well-labeled in the operating system, and there’s no warning box to let the user know it has happened. And even though Apple’s documentation states that once you save a file locally, it will be removed from iCloud, Green points out that cloud storage doesn’t always support immediate deletion—so that information you typed in the file or those screenshots you previewed may still live in the Cloud for a while after you’ve saved them on your hard drive.

Users were up in arms about a free U2 album being synced to their phones, but outside of the security community, there’s been little public outcry about these troubling autosave defaults. “I’m baffled as to why people don’t think it’s a big deal,” says Green. “It’s a big deal to me.”

There is always a tension between security and usability. That’s the reason so many people pick lousy iCloud passwords—they double up as Apple ID passwords and are used time and time again for iPhone app purchases for anyone who hasn’t enabled Touch ID. This makes accounts more vulnerable to being hacked. Even enabling two-factor authentication—which many users do not do—has many limitations and workarounds.

Some users may not care if their drafts and unsaved screenshots are traveling across the Internet and being uploaded to Apple cloud servers. That doesn’t mean that there shouldn’t be some kind of opt-in or a warning for all users—since so many are unaware that there’s some hidden feature buried somewhere in their settings that they need to selectively disable for any app they don’t want to be automatically synced to the cloud.

This may not be the world’s most egregious privacy and/or security breach, but it’s something to remain aware of. Stay tuned for additional details as they become available.