www.it-connect.fr
Apple Patches iPhone Bug That Let the FBI Read Deleted Signal Messages
Apple has released a new update to urgently patch a privacy flaw affecting iOS and iPadOS. This bug caused deleted notifications to remain in device memory: the FBI recently used it to recover Signal messages.
Table of Contents
CVE-2026-28950 Affects iPhone and iPad
On April 22, 2026, the Cupertino company rolled out out-of-band security fixes, meaning outside the usual cycle, to patch a vulnerability in the notifications service of iOS and iPadOS. Tracked as CVE-2026-28950, it can lead to information disclosure.
In its security bulletin, Apple simply states: "Notifications marked for deletion could be retained unexpectedly on the device."
What is surprising is that Apple provides no further details:
- Has this vulnerability already been exploited by cybercriminals? It is not specified, but the fact that an emergency patch was issued for this flaw alone suggests that it may have been. However, Apple is usually transparent.
- Apple did not provide any additional technical information: how long could notification data remain stored? We do not know.
But there is still an explanation for all this...
The Signal Case: When the FBI Digs Into Notifications
As part of a court case, the FBI recently managed to recover copies of Signal messages on a suspect's iPhone, even though the messaging app had been uninstalled from the phone.
The trial notes also provide details that connect this method to the security flaw: "The messages were recovered from Sharp's phone via Apple’s internal notification storage — Signal had been deleted, but incoming notifications were preserved in internal memory."
Signal also welcomed the fact that this security flaw was fixed: "We are very happy that Apple released a patch and security advisory today. This announcement follows @404mediaco’s report that the FBI accessed the content of Signal message notifications via iOS, even though the app had been deleted.", reads a post on X.
For Signal users, this is still reassuring: the encryption mechanisms used to store messages are not being called into question; this is clearly a weakness in Apple’s notification system. However, it is reasonable to think that this flaw could make it possible to recover other information through this notification issue.
How Can You Protect Yourself?
To prevent the contents of your old notifications from lingering in the depths of your iPhone or iPad, it is recommended that you install the latest security patches released by Apple. Here are the new updates released:
- iOS 26.4.2
- iOS 18.7.8
- iPadOS 26.4.2
- iPadOS 18.7.8.
You can customize Signal’s settings to prevent the text of your messages from appearing in iPhone notifications. That way, only the sender name will be shown — or nothing at all, except the fact that a new message has arrived.
Here’s how to do it in the Signal app:
- Go to Signal’s Settings.
- Open Notifications, then Notification Content.
- Change the display to select "Name Only" or "No Name or Content".
"Please note that no action is required for this fix to protect Signal users on iOS. Once the patch is installed, all inadvertently retained notifications will be deleted and no future notifications will be retained for deleted apps.", Signal explains.
