Security critics have raised concerns about the new iCloud behaviour in Max OS X Yosemite. While the automatic uploading of documents is generally seen as a welcome feature, it appears that the iCloud sync saves more than what the user intends; this includes documents that have deliberately been left unsaved or are never meant to be uploaded.
Jeffrey Paul, a security researcher and hacker from Berlin, raised the point on his blog after he discovered that several private text documents that were meant to store passwords locally on his encrypted computer were being uploaded to the iCloud. He later discovered that this automated behaviour extends to all text editing software with an autosave feature on Yosemite. It will also sync all contacts ever corresponded with to Apple’s addresses service. Preventing users from separating between work and personal contacts.
The issue at hand is not that the service is autosaving documents for ease of access; Yosemite already asks for permission to synchronise between Apple accounts for the purpose of the Continuity feature. Instead, it is that the service does not allow the user to select the default location for the save to happen. This matters in the case that a user creates a private file to storing passwords on an encrypted document. In this case, the encrypted file would be save on the computer, but the unencrypted autosave file would exist on the iCloud. Considering the recent security breaches involving Apple’s cloud service, this a worrying occurrence.
Naturally, the feature can be disabled within the settings by accessing System Preferences > iCloud > Documents & Data. Any users who would rather not share all their documents with the iCloud should double check the settings just in case.
[Source: Ars Technica; Datavibe]
