Apple has released a critical security update for iOS and iPadOS to address a vulnerability that allowed law enforcement to recover deleted messages from the encrypted messaging app Signal. The flaw, discovered by the FBI, exploited a logging issue within the Notification Services, where messages marked for deletion were unexpectedly retained on the device.

Key Takeaways

• Apple has fixed a vulnerability (CVE-2026-28950) in iOS and iPadOS that allowed deleted Signal messages to be recovered.

• The FBI exploited this flaw by accessing the device's push notification database, where deleted message content was retained.

• The fix ensures that inadvertently preserved notifications are deleted and no new ones are stored for deleted applications.

• Users can further enhance privacy by configuring Signal notifications to show only names or no content.

The Vulnerability Explained

The security flaw, tracked as CVE-2026-28950, was a logging issue within Apple's Notification Services. It meant that notifications, even those marked for deletion, could remain on the device. This allowed the FBI to forensically extract copies of incoming Signal messages from an iPhone, even after the app had been deleted and the messages were intended to self-destruct. The messages were found in the device's push notification database.

FBI's Discovery and Signal's Response

The vulnerability came to light following a report by 404 Media, which detailed how the FBI successfully retrieved deleted Signal messages from a defendant's iPhone in connection with an investigation. Signal, while not at fault for the bug itself, acknowledged Apple's swift action. In a statement on X, Signal confirmed that the patch would delete all inadvertently preserved notifications and prevent future ones from being stored for deleted applications. They expressed gratitude to Apple for addressing the issue, emphasizing the importance of ecosystem collaboration in protecting private communication.

Affected Devices and Fix Details

Apple addressed the vulnerability with improved data redaction. The fix is included in iOS 26.4.2 and iPadOS 26.4.2, as well as iOS 18.7.8 and iPadOS 18.7.8. The company's advisory stated, "Notifications marked for deletion could be unexpectedly retained on the device."

Enhancing Notification Privacy

While the patch resolves the core issue, users can take additional steps to safeguard their message content. Within the Signal app, users can navigate to Profile > Notifications > Show and select either "Name only" or "No name or message." This ensures that even if notifications are accessed, the sensitive content of messages remains hidden.

The Electronic Frontier Foundation (EFF) also commented on the matter, advising users to reconsider the necessity of app notifications and the potential metadata that could be gleaned from them.

By staying vigilant and adopting safe browsing practices, users can significantly reduce their exposure to these evolving threats. As cyber threats continue to evolve, your security strategy needs to evolve with them. BetterWorld Technology delivers adaptive cybersecurity solutions designed to keep your business secure while supporting innovation. Connect with us today to schedule a personalized consultation.

Sources

• Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages, The Hacker News.

• Apple patches bug that let FBI access deleted Signal messages, Straight Arrow News - SAN.

• Apple bug fix stops FBI from recovering deleted Signal messages, Mashable.

• Apple fixes flaw that let FBI extract deleted Signal messages​, Cybernews.

• Did Apple Just Fix the iPhone Bug That Let the FBI Recover Deleted Signal Messages?, Lifehacker.