Apple fixes bug that let the FBI recover deleted Signal messages
Source: Bleeping Computer
Article updated with statement from Signal thanking Apple for addressing the vulnerability.
Overview
Apple released out‑of‑band security updates for iPhone and iPad devices to fix a Notification Services flaw that could allow notifications marked for deletion to remain stored on the device.
The bug, tracked as CVE‑2026‑28950, was fixed on April 22, 2026 in:
- iOS 26.4.2 / iPadOS 26.4.2
- iOS 18.7.8 / iPadOS 18.7.8
The Apple security bulletin states: “Notifications marked for deletion could be unexpectedly retained on the device.” Source
Apple said the flaw was fixed through improved data redaction but did not provide additional technical details, nor did it disclose whether the vulnerability had been exploited in the wild.
Connection to FBI Investigation
Recent reporting by 404 Media described how the FBI recovered copies of Signal messages from a suspect’s iPhone, even after the messages had been deleted in the app. According to trial notes published by supporters of the defendants, the recovered data came not from Signal’s encrypted message store but from the iPhone’s internal notification storage.
“Messages were recovered from Sharp’s phone through Apple’s internal notification storage — Signal had been removed, but incoming notifications were preserved in internal memory.” Trial notes
The FBI’s ability to extract these notifications aligns with Apple’s description of the vulnerability, though Apple’s advisory does not reference the case directly.
Signal’s Response
Signal publicly thanked Apple for patching the issue, emphasizing the importance of protecting private communications:
“We’re grateful to Apple for the quick action here, and for understanding and acting on the stakes of this kind of issue. It takes an ecosystem to preserve the fundamental human right to private communication.” Public statement
Mitigation Steps for Users
-
Update your device – Install the latest iOS/iPadOS updates (iOS 26.4.2, iOS 18.7.8, or later) as soon as possible.
-
Adjust Signal notification settings to prevent message content from being stored in the notification database:
Signal Settings→Notifications→Notification content→ set Show to “Name Only” or “No Name or Content.”
BleepingComputer contacted Apple for comment but has not yet received a response.
End of article.