14 DAY TRIAL // A bug in Apple’s Safari causes the addresses loaded in private browsing sessions to be stored in plain text in the browser’s favicon database, which can be accessed using publicly available tools without too much effort.
As per the definition from Apple, when using Private Browsing, “Safari doesn’t save your browsing history, and it asks websites you visit not to track you.”
Database file can be easily opened
However, it looks like the feature is not working correctly in the latest versions of the browser and of OS X as the URLs accessed in private mode are saved in the WebpageIcons.db, whose purpose is to record favicon images of accessed web pages to render them in other areas, such as browser history list or bookmarks.
The file can be easily opened with any database browsing application like SQLite Browser, but the same can be achieved, although in a much less organized manner using TextEdit, the default text editor in OS X, or the built-in “sqlite3” terminal utility.
The privacy flaw was noticed by MacIssues reader Tyler C, who said that he bumped into it while troubleshooting problems with Safari. When he opened WebpageIcons.db file, he noticed URLs of sites loaded during private browsing sessions.
Clearing browsing history does not solve the problem
“The URLs seem to stay in there basically forever unless you clear out all your browsing data (which defeats the entire purpose of using a ‘private window’),” reader Tyler C. said.
A test from Softpedia confirmed the problem as the private entries persist even if the command to clear history and website data is executed.
This may not be an issue on systems with a single user, but it is a reason for concern on machines handled by multiple individuals.
On the same note, this glitch could be used by other individuals with brief access to the computer, who could attempt to peek into the browsing habits.
Until a fix is delivered, one way to eliminate the risk is to manually delete the WebpageIcons.db file, although this is quite an uncomfortable workaround.