Apple patches bug that allowed FBI to recover deleted Signal messages, receives kudos
Tech giant Apple has fixed a security flaw that had allowed the FBI to access a Signal user’s deleted messages through their phone’s push notification database, despite the app being deleted and messages being set to disappear.
The bug was publicized by 404 Media a couple of weeks ago. According to its report, the FBI was able to forensically extract copies of incoming Signal messages from a suspect’s iPhone by simply looking into the device’s push notification database.
It soon turned out that any app with permission to show previews and alerts on the Lock Screen would save those previews to the user’s iPhone’s internal memory.
Of course, this wouldn’t happen if the user changed what Notification Content appears. If, for example, they changed the settings to “No Name or Content,” even if someone accessed their alerts, all they would see is that the user received a Signal message – not who sent it or what it contains.
Check if your data has been leaked
Following the 404 Media report, Signal President Meredith Whittaker called on Apple to quickly fix the issue, noting in an April 15th X post that “notifications for deleted messages shouldn't remain in any OS notification database.”
And now, Apple says it has fixed the bug that allowed “notifications marked for deletion” to be “unexpectedly retained on the device.”
As per Apple’s security bulletin, the bug, tracked as CVE-2026-28950, was fixed on April 22nd, 2026, in iOS 26.4.2 and iPadOS 26.4.2 and in iOS 18.7.8 and iPadOS 18.7.8.
Apple doesn’t say whether the flaw was exploited in any attacks or why it was actually addressed outside the normal security update cycle. Technical details are also lacking.
Still, Signal – widely considered to be the best way to communicate more securely – has commended Apple for the action to patch the vulnerability, which threatened the safety of private conversations.
“We’re grateful to Apple for the quick action here, and for understanding and acting on the stakes of this kind of issue. It takes an ecosystem to preserve the fundamental human right to private communication,” Signal said in an X post.
Now, once Signal users install the patch, all inadvertently-preserved notifications will be deleted and no forthcoming notifications will be preserved for deleted applications.
Unlock more exclusive Cybernews content on YouTube.
